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THE CYBER INITIATIVE 


Thursday, February 28, 2008 

U.S. House of Representatives, 
Committee on Homeland Security, 

Washington, DC. 

The committee met, pursuant to notice, at 10:13 a.m., in Room 
311, Cannon House Office Building, Hon. Bennie G. Thompson 
[Chairman of the committee] presiding. 

Present: Representatives Thompson, Harman, Christensen, 
Etheridge, Langevin, Green, McCaul, Dent, and Brown. 

Chairman Thompson [presiding]. The committee will come to 
order. 

The committee is meeting today to receive testimony on the 
Cyber Initiative. The infiltration and exploitation of Federal Gov- 
ernment networks and critical infrastructure networks is one of the 
most critical national security issues confronting our country today. 

Public reports suggest that Federal networks have been under 
attack for years. These attacks have resulted in the loss of indeter- 
minate amounts of information. The purpose of today’s hearing is 
to discuss the administration’s proposed Cyber Initiative, a pro- 
posal that attempts to reduce the vulnerability of our Federal com- 
puter networks and critical infrastructure and the consequences of 
attacks against these networks. 

We aim to discuss several things today, including the consolida- 
tion of trusted internet centers, known as TICs, which would re- 
duce the number of Federal connections to the internet and allow 
for easier monitoring of incoming and outgoing traffic, the imple- 
mentation of the Department of Homeland Security’s cyber moni- 
toring capabilities throughout Federal agencies, known as Einstein, 
the privacy implications of electronic data collection, efforts under- 
way to conduct damage assessment of Federal systems, and efforts 
to secure our federally and privately owned critical infrastructure 
from cyber attack. 

Thus far, I have been extremely disappointed in this administra- 
tion’s efforts in cybersecurity. The administration drafted a high- 
level national strategy for a secure cyberspace in 2002 that pre- 
sented problems and possible solutions to high-level cybersecurity 
issues but never mandated any changes required to improve secu- 
rity. 

In 2003, the administration eliminated its top advisor on 
cybersecurity, Richard Clarke, who was a key advisor to the presi- 
dent. Then, after Congress pushed for the creation of an assistant 
secretary for cybersecurity, DHS waited over a year to fill the posi- 
tion and buried it four levels down in the bureaucracy. 

( 1 ) 
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Despite the creation of a cross-agency intelligence director, the 
administration failed to educate Federal agency officials on the 
cyber threat. For instance, in a 2007 hearing before this committee, 
the chief information officer at DHS, Scott Charbo, who is with us 
today, told us that he had never received any intelligence reports 
about nation state hacking and that he was unfamiliar with this 
activity. To me, this suggests a failure on the part of the director 
of national intelligence who is charged with connecting dots that 
would prevent cross-agency intelligence failures from occurring. 

This administration regularly requested inadequate budgets for 
DF1S cybersecurity activities, both for the National Cyber Security 
Division, the US-CERT and the CIO security budget and the R&D 
activities undertaken at the Science and Technology Directorate. 

This administration has vested responsibility for securing these 
networks in folks who don’t understand the threat or the technical 
methods to deal with the threat. Secretary Chertoffs decision to 
promote Mr. Charbo to the position of deputy under secretary for 
National Protection and Programs places him in charge of DHS’ ef- 
forts in the Cyber Initiative. This decision was made in spite of the 
committee’s investigation into how he and his staff failed both to 
protect the Department’s computers from intrusion and properly 
manage the contractor in charge of security. 

In light of these and other issues, it is hard to believe that this 
administration now believes it has the answers to secure our Fed- 
eral networks and critical infrastructure. 

I want to be clear: I believe that cybersecurity is a serious prob- 
lem, maybe the most complicated national security issue in terms 
of threat and jurisdiction. This problem will be with us for decades 
to come. 

I am pleased that this administration recognizes the challenges 
we face in securing this area. 

As Chairman of this committee, I continue to have numerous 
practical and theoretical questions about the initiative and the pos- 
sibilities of its success: Who is in charge, what are the matrix for 
success, who is accountable, how are privacy concerns being ad- 
dressed, how will future technologies be incorporated, how will fu- 
ture threats be addressed, what legal frameworks must be amend- 
ed, how will the administration work with the private sector, and 
what will be done with critical infrastructure? 

I am committed to charting a course toward freedom from fear, 
and I look forward to working through these difficult questions in 
the weeks, months and years to come. 

The Chair now recognizes the Ranking Member of the sub- 
committee and who is standing in for the Ranking Member of the 
full committee, the gentleman, Mr. McCaul, for an opening state- 
ment. 

Mr. McCaul. Thank you, Mr. Chairman. 

Today’s hearing is on the administration Cyber Security Initia- 
tive, which is a sweeping effort to better secure the computer net- 
works owned and operated by the Federal Government. 

In my judgment, since 9/11, we have been very focused on the 
threats in the physical world, and yet not enough attention, in my 
view, has been paid on threats in the virtual world. 
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I am glad to see that the administration has come forward with 
an initiative, a plan. Congressman Langevin and I have launched 
a nonpartisan commission to study the threat of cybersecurity to 
this Nation and to provide recommendations to the next President 
of the United States, and I look forward to seeing their rec- 
ommendations as well. 

As this committee learned last year, the Government’s computer 
networks are under constant attack from hackers and criminals, 
many of whom are sponsored by foreign nations. Just last year, the 
country of Estonia was temporarily taken off the internet by orga- 
nized hackers. While the chances that a similar attack could 
achieve similar results in this country are small, the threat re- 
mains very real. 

The Department of Homeland Security will play a prominent role 
in developing and implementing the administration’s initiative. In 
fact, the President’s fiscal year 2009 budget request includes close 
to $200 million more for DHS than was requested last year for 
cybersecurity, and I am pleased to see that. 

In addition, media reports indicates the administration plans to 
ask for up to $30 billion over the next 5 years. If this figure is accu- 
rate, Congress needs to know how that money will be spent. This 
project is still in the formative stages; therefore, I understand a 
number of details cannot be shared at this time or possibly in an 
open forum. But it is important, however, that the administration 
keep Congress informed so as to avoid any misunderstanding about 
what this initiative is designed to do. 

With such a large project that cuts across the Government, effi- 
cient congressional oversight may be difficult to achieve because so 
many different committees claim jurisdiction over DHS. It is times 
like this that highlight the fact that despite promises to fulfill all 
the remaining 9/11 commission’s recommendations, the Congress 
still has not consolidated oversight of DHS, and, unfortunately, it 
now has oversight by 86 committees and subcommittees. 

I understand that the administration doesn’t believe that further 
authorities are necessary for this initiative, but this area poten- 
tially could be added to our annual DHS authorization bill, which 
I urge the Chairman and this committee to take up prior to con- 
gressional action on DHS’ appropriations bill later this spring. I 
raised this issue during our full committee this past Tuesday and 
was pleased to hear an optimistic response from Chairwoman 
Sanchez. 

We on the Republican side look forward to working with our ma- 
jority counterparts and colleagues on another bipartisan DHS au- 
thorization bill. 

I yield back. 

Chairman Thompson. Thank you very much. 

Other Members of the committee reminded that under committee 
rules opening statements may be submitted for the record. 

[The statement of Hon. Langevin follows:] 



4 


Prepared Statement of Hon. James R. Langevin 
February 28, 2008 
the cyber initiative 

For years, Federal networks have been under attack. I believe that the infiltration 
and exploitation of these networks is one of the most critical issues confronting our 
Nation. The acquisition of our Government’s information by outsiders undermines 
our strength as a Nation. If sensitive information is stolen and absorbed by our ad- 
versaries, we are strategically harmed. 

Last year, as Chairman of the Subcommittee on Emerging Threats, Cybersecurity, 
Science and Technology, I held a series of hearings on the cyber threats to our Fed- 
eral networks and critical infrastructure. It is clear that our failure to secure Gov- 
ernment networks has more to do with mismanagement, and less to do with inad- 
equate technology. This administration simply has not made cybersecurity a pri- 
ority. They have not comprehensively identified or mitigated vulnerabilities on our 
networks; they have not held anybody accountable for breaches; and they have not 
invested adequate resources to solve the problems. Unfortunately, we are paying the 
price today. 

I remain deeply concerned about the growing threat to our national critical infra- 
structure. The effective functioning of many infrastructures is highly dependent on 
control systems, which are computer-based systems used to monitor and control sen- 
sitive processes and physical functions. Cyber attacks against these pieces of infra- 
structure have the potential to cause serious — if not catastrophic — damage to the 
economy and our way of life. The administration’s Cyber Initiative does not ade- 
quately prioritize this issue. 

With the right vision and leadership, we can improve security on our Federal net- 
works and critical infrastructure. There are some promising elements of the Cyber 
Initiative, but there are also some gaping holes. I assure the American people that 
we will continue to perform robust oversight on this issue. 

RECAP OF THE SUBCOMMITTEE’S PREVIOUS HEARINGS 

Last year, as Chairman of the subcommittee on Emerging Threats, Cybersecurity, 
Science and Technology, I held a series of hearings on the cyber threats to our Fed- 
eral networks and critical infrastructure. We began in April 2007, with a hearing 
on cyber attacks against the Departments of State and Commerce. At that time, it 
was clear to me that the Federal Government did not understand the severity of 
the threat. Officials did not know the scope or topology of networks; who infiltrated 
our networks in the past; who was inside of our networks at the present; and how 
much information had been stolen. At that hearing, I promised to begin an inves- 
tigation to assess the cybersecurity posture at the Department of Homeland Secu- 
rity. Chairman Thompson and I began requesting documents from the Department’s 
Chief Information Officer the following week. 

Our second hearing in April focused on the need to reduce critical infrastructure 
vulnerabilities through investment in research and development. In the last 7 years, 
more than 20 reports from such entities as the INFOSEC Research Council, the Na- 
tional Science Foundation, the National Institute of Justice, the National Security 
Telecommunications Advisory Committee, the National Research Council and the 
President’s Commission on Critical Infrastructure Protection have all urged the 
Government to do more to drive, discover and deliver new solutions to address cyber 
vulnerabilities. Yet the administration routinely proposed reductions or flat funding 
for research and development efforts at the Department of Homeland Security. Our 
witnesses described the necessity to dramatically reduce the vulnerability of the na- 
tional information infrastructure to attack, and make major, strategic investments 
that can significantly reduce infrastructure vulnerabilities over a 5- to 10-year pe- 
riod. 

During a June 2007 subcommittee hearing, we discussed the preliminary results 
of our investigation into the security of the Department’s networks. Due to poor se- 
curity practices on its networks, the Department of Homeland Security suffered nu- 
merous significant security incidents. Routine security reviews — like rogue tunnel 
audits, ingress/egress filtering, widespread internal and external penetration tests, 
and contractor audits — were not performed. Multi-factor authentication was not 
fully implemented And in spite of nearly 900 cybersecurity incidents between fiscal 
year 2005 and fiscal year 2006, the Department continued to under-invest in IT se- 
curity. 

The testimony of the Department’s Chief Information Officer, Scott Charbo, was 
disturbing to the committee. Although the Chief Information Officer is ultimately 



5 


responsible for the security of the Department’s numerous information networks, 
Mr. Charbo seemed unaware and unconcerned about any serious malicious activity 
on the networks he was charged with securing. For example, when asked if he or 
his security team had requested or received intelligence briefings about Chinese 
hackers penetrating Federal networks, or if Department computers ever exfiltrated 
information to Chinese servers, Mr. Charbo responded “you don’t know what you 
don’t know.” This answer was typical of the laissez-faire attitude that he exhibited 
throughout the investigation, and suggested that neither he nor the rest of the De- 
partment was taking the issue of cybersecurity seriously. Chairman Thompson and 
I sought additional information to determine whether these incidents could be tied 
to the same attacks that occurred on the networks at State and Commerce. 

In September 2007, Chairman Thompson and I concluded that the Department 
was itself a victim not only of cyber attacks initiated by foreign entities, but of in- 
competent and possibly illegal activity by the contractor charged with maintaining 
security on its networks. The Department’s intrusion detection systems — designed 
to monitor networks and issue alerts when outsiders attempted to gain access — were 
not properly installed and monitored. This resulted in dozens of computers becoming 
compromised by hackers, who sent an unknown quantity of information to a Chi- 
nese-language Web site. We asked the Department’s Inspector General to begin an 
inquiry into these matters and refer the case for criminal investigation. 

In October 2007, my subcommittee again revisited the issue of cybersecurity and 
critical infrastructure, specifically with regard to the electric grid. The effective 
functioning of the bulk power system is highly dependent on control systems, which 
are computer-based systems used to monitor and control sensitive processes and 
physical functions. Once largely proprietary, closed-systems, control systems are be- 
coming increasingly connected to open networks, such as corporate intranets and 
the Internet. As such, the cyber risk to these systems is increasing. Intentional and 
unintentional control system failures on the bulk power system can have a signifi- 
cant and potentially devastating impact on the economy, public health, and national 
security of the United States. 

The subcommittee learned about an experimental cyber attack led by DHS re- 
searchers at Idaho National Laboratory. This experiment — code-named Aurora — 
could inflict significant damage upon the electric sector, and several Members joined 
me in calling upon the Federal Electric Regulatory Commission (FERC) to inves- 
tigate whether the owners and operators were implementing mitigations to prevent 
this attack from occurring. In light of these issues, I joined Chairman Thompson, 
Chairwoman Jackson Lee, and Ranking Member McCaul in submitting comments 
to the FERC rulemaking, arguing that their proposed standards do not sufficiently 
ensure the production or delivery of power in the event of intentional or uninten- 
tional cyber incidents involving critical infrastructures. We suggested adopting 
standards for control systems proposed by the National Institute of Science and 
Technology. 

Our final hearing focused on the implementation of the cyber aspects of the Sector 
Specific Plans. These 17 plans — one for each critical infrastructure sector in the 
United States — are supposed to describe how each sector will identify, prioritize, 
and protect their physical and cyber assets. However, an investigation performed for 
the committee by the GAO suggests that many of the 17 plans are incomplete when 
it comes to cybersecurity. The GAO analyzed the 17 plans under three categories: 
fully addressed, partially addressed, or not addressed, and found that none of the 
plans fully addressed all 30 cybersecurity criteria. Even more distressing was the 
absence of an implementation plan. Because Sector Specific Plans remain a vol- 
untary exercise for all sectors, the Federal Government is unable to assess the effec- 
tiveness of the private sector’s cybersecurity controls. 

Each of these hearings suggests that the Federal Government is vulnerable to a 
cyber attack against Federal networks or critical infrastructure. We must continue 
to identify vulnerabilities in our systems. We must continue to reduce those 
vulnerabilities. We must continue to engage the private sector. We must make 
cybersecurity a priority. 

Chairman Thompson. I now welcome our witnesses to this hear- 
ing. 

Our first witness, Karen Evans, is the administrator of the Office 
of Electronic Government and Information Technology at the Office 
of Management and Budget. In this role, she oversees implementa- 
tion of IT throughout the Federal Government, including advising 
the director on the performance of IT investments, overseeing the 
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development of enterprise architecture within the agencies, direct- 
ing activities of the Chief Information Officer Council and over- 
seeing the usage of the e-government funds to support interagency 
partnership and innovation. 

Our second witness is Robert Jamison, the under secretary for 
the National Protection and Program Directorate at the Depart- 
ment of Homeland Security. He was confirmed in December 2007. 
Under Secretary Jamison leads the Department’s integrated effort 
to analyze, manage and reduce risk. Mr. Jamison oversees the De- 
partment’s efforts in the Cyber Initiative. 

He will be joined in questioning period by Deputy Under Sec- 
retary for National Protection and Programs Directorate Scott 
Charbo. Mr. Charbo was named to this position earlier this month 
after previously serving as the Department’s chief information offi- 
cer. 

Without objection, the witnesses’ full statements will be read into 
the record. I ask each witness to summarize their statements, be- 
ginning with Ms. Evans for 5 minutes. 

Ms. Evans. 

STATEMENT OF KAREN EVANS, ADMINISTRATOR, ELEC- 
TRONIC GOVERNMENT AND INFORMATION TECHNOLOGY, 

OFFICE OF MANAGEMENT AND BUDGET 

Ms. Evans. Good morning, Mr. Chairman and Members of the 
committee. Thank you for inviting me to discuss the administra- 
tion’s comprehensive National Cyber Security Initiative. Our work 
on the Cyber Initiative is focused on building upon our existing ef- 
fort to continue to close the gap in areas of continued weakness, 
implementing existing security policies and managing our risk as- 
sociated in particular with non-secure external connections, includ- 
ing internet points of presence. 

Please note, our work is happening concurrently on all of the pro- 
grams described in my written statement. 

Agencies connect to the internet to deliver timely information 
and services to the public, but each new connection multiplies 
threats and vulnerabilities. Agencies can consolidate or reduce un- 
necessary connections while still accomplishing program goals. 
OMB has set a target date of completion for the reduction and opti- 
mization of agencies’ external connections, including those to the 
internet, by June 2008. 

Agencies reduce the number of internet connections, as they also 
will be determining transitions and, if so, their transition strategy 
to the network’s contract managed by the General Services Admin- 
istration. This transition provides an opportunity for agencies to 
consolidate and optimize their external access points and to obtain 
secure telecommunications technologies and services. 

In connection with the network’s transition, Einstein will be de- 
ployed at the appropriate external connection. Currently, 14 de- 
partments and agencies have deployed Einstein. Einstein will be 
discussed more in depth by my colleague, Under Secretary 
Jamison, during his statement. 

Agencies are also taking advantage of products and services of- 
fered by the Information Systems Security Line of Business. This 
initiative, led by the Department of Homeland Security and OMB, 
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was introduced in the spring of 2005 and identified common solu- 
tions for four areas to be shared by the government: Security train- 
ing; Federal Information Security Management Act, FISMA, report- 
ing; situational awareness and incident response; and the selection, 
evaluation and implementation of security solutions. 

As of November 2007, 12 agencies had implemented security 
awareness training services provided by three approved shared 
service centers, and 13 agencies have begun using FISMA report- 
ing services provided by two approved shared service centers. As a 
result, agencies are beginning to reduce duplicative investment and 
common security tools, ensuring a baseline level of training and re- 
porting performance and are better able to refocus their efforts to 
other complex and critical security issues at their agency. 

With the understanding that vulnerabilities result from weak- 
nesses in technology, as well as improper implementation and over- 
sight of technological products, we have collaborated with the Na- 
tional Institute of Standards and Technology, NIST, the Depart- 
ment of Defense, the National Security Agency, and Microsoft to 
develop a set of information security controls to be implemented on 
all Federal desktops, which are running Microsoft Windows XP or 
Vista. 

This set of controls, known as the Federal Desktop Core Configu- 
ration, is currently being implemented across the Federal enter- 
prise. By implementing a common configuration, we are gaining 
better control of our Federal systems and are allowing for closer 
monitoring and correction of potential vulnerabilities, while lim- 
iting the download of internet applications to only authorized pro- 
fessionals. 

In addition to the desktop configuration, we are also working 
with the vendor community to make our application safer. As part 
of this program, NIST has developed testing tools for use by both 
the Federal agencies and the vendors. NIST awarded Security Con- 
tent Automation Protocol, or SCAP, validation to three products as 
of February 4, 2008. 

Three independent laboratories have been accredited by NIST 
National Voluntary Laboratory Accreditation Program for the 
SCAP product validation. 

To help agency procurement officers ensure that new acquisitions 
include the common security configurations, we have also provided 
agencies with recommended procurement language. The Federal 
Acquisition Council has approved the language and is completing 
the process of adding this language to the Federal acquisition regu- 
lations. 

While notable progress in resolving IT security weaknesses has 
been made, and I have included more examples in my written 
statements, problems remain in agencies’ implementation, and new 
threats and vulnerabilities continue to materialize. Work remains 
to continue to improve the security of information and systems sup- 
porting the Federal Government’s missions and manage the risk 
associated with these systems. 

To address these challenges, OMB looks forward to continuing to 
work with the agencies, GAO and Congress to promote the appro- 
priate risk-based and cost-effective IT security programs, policies 
and procedures. 
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I will be happy to answer any questions at the appropriate time. 
[The statement of Ms. Evans follows:] 

Prepared Statement of Karen Evans 
February 28, 2008 

Good morning, Mr. Chairman and Members of the committee. Thank you for in- 
viting me to discuss the administration’s Comprehensive National Cybersecurity Ini- 
tiative. My remarks today will focus on the progress we have made in improving 
the security of the Government’s information and information technology (IT) sys- 
tems as well as our strategy for managing the risk associated with our Government 
services in this ever-changing IT environment. In our increasingly interconnected 
and interdependent environment, security risks left unaddressed by one agency can 
exponentially compound security risks faced by all of us. These weaknesses prevent 
agencies from achieving program goals and erode the public’s trust in us. 

Information security and privacy are extremely important issues for the adminis- 
tration. On March 1, 2008, the Office of Management and Budget (OMB) will pro- 
vide our fifth annual report to the Congress on implementation of the F ederal Infor- 
mation Security Management Act (FISMA). This report will go into detail on our 
improvements and remaining weaknesses for both security and privacy. 

OMB policies and subsequent National Institute of Standards and Technology 
(NIST) guidance focus on a risk-based, cost-effective approach and reflect the bal- 
ance between strong security and mission needs. Agencies are responsible for imple- 
menting the policies and guidance for their unique mission requirements within 
their capital planning and investment control processes. Agency officials who own 
and operate the agency business programs are ultimately responsible and account- 
able for ensuring security is integrated into those program operations. Our oversight 
is achieved in two primary ways — via the budget and capital planning process, and 
through independent program reviews. 

Our work on the cyber initiative is focused on closing gaps in areas of continued 
weakness — implementing existing security policy, and managing non-secure exter- 
nal connection, including Internet points of presence. Please note our work is hap- 
pening concurrently on all of the programs described. 

EFFECTIVELY IMPLEMENTING EXISTING SECURITY POLICIES 

Securing cyberspace is an ongoing process, so as new technologies appear and new 
vulnerabilities are identified, NIST provides guidance to Federal agencies on secur- 
ing networks, systems, and applications. Recommendations include user awareness 
briefings as well as training for technical staff on security standards, procedures, 
and sound security practices. As required by 44 U.S.C. § 3543, Federal agencies 
must adopt and comply with standards promulgated by NIST, and identify informa- 
tion security protections consistent with these standards. 

For example, agencies must complete certification and accreditation (C&A) — a 
fundamental security procedure required by law and policy. As of first quarter fiscal 
year 2008, 985 systems (9.5% percent of all systems) operate without a complete 
C&A. Based on our annual reports to Congress, the percentage of systems C&A’d 
rise each year we need to be at 100%. When performed correctly, C&As identify the 
risks when operating an information system, tests controls necessary to mitigate 
them, and provides program managers a level of assurance the systems supporting 
their programs operate at an acceptable level of risk. 

In addition to following existing policy, agencies are continuing to take advantage 
of GSA’s SmartBUY program when acquiring security products and services. 
SmartBUY is a Federal Government procurement vehicle designed to promote effec- 
tive enterprise level software management. By leveraging the Government’s im- 
mense buying power, SmartBUY has saved taxpayers millions of dollars through 
Government-wide aggregate buying of Commercial Off the Shelf (COTS) software 
products. Agencies are utilizing new SmartBUY agreements to acquire quality secu- 
rity products at lower costs. 

In one recent example, GSA and DoD established a SmartBUY agreement for 
products certified through the NIST FIPS 140-2 Cryptomodule Validation Program. 
These certified products will be used to encrypt data at rest. This benefit is not con- 
fined solely to Federal agencies, since the Blanket Purchase Agreement (BPA) was 
written so that States and local governments can also take advantage of this oppor- 
tunity. 

In addition to the encryption BPA, GSA worked to complete two BPA’s for credit 
monitoring services deemed necessary by an agency in the event of a breach of per- 
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sonally identifiable information (PII), as well as risk assessment services for when 
a breach occurs. More information about the BPA related to credit monitoring serv- 
ices can be found in our OMB Memorandum M-07-04, “Use of Commercial Credit 
Monitoring Services Blanket Purchase Agreements (BPA),” at http:/ / 
www.whitehouse.gov / omb / memoranda / fy2007 / m07-04.pdf . More information about 
the BPA to assist agencies to assess risk associated with data loss can be found in 
our OMB Memorandum M-08-10, “Use of Commercial Independent Risk Analysis 
Services Blanket Purchase Agreements (BPA),” at http: // www.whitehouse.gov / 
omb / memoranda / fy2008 / m08- 10. pdf. 

Currently, the Information System Security Line of Business (ISSLOB) is working 
across Federal agencies and with GSA to assess the feasibility of additional security 
related SmartBUY and BPA opportunities for situational awareness and discovery 
tool sets. 


MANAGING MULTIPLE NON-SECURE EXTERNAL CONNECTIONS 

Agencies connect to the Internet to deliver timely information and services to the 
public, but each new connection multiplies threats and vulnerabilities. Agencies can 
consolidate or reduce unnecessary connections while still accomplishing program 
goals. Per OMB guidance, agencies must reduce and/or consolidate their external 
connections including those to the internet by June 2008 with a target of no more 
than 50 access points in total for the civilian agencies. 

As agencies reduce the number of internet connections, they are also determining 
whether to transition, and if so, their transition strategy, to Networx. As you know, 
FTS200 1/Crossover Bridge contracts, which provide services for telecommunications 
and networking services, for current customers will expire in May and June 2010. 
The Networx program is the primary replacement vehicle for these expiring con- 
tracts. We believe that this transition will provide an opportunity for agencies to 
consolidate and optimize their external access points including internet connections 
and obtain secure telecommunications technologies and services. Networx Universal 
and Enterprise Service contracts were awarded in March and May 2007, respec- 
tively. 

OMB anticipates agencies choosing to use the Networx contract can leverage the 
transition process and service offerings to meet the goal of reducing the number of 
external connections including Internet points of presence. OMB has asked the Fed- 
eral Chief Information Officers (CIO) Council to prepare a cost-benefit analysis re- 
garding the use of the Networx contract. 

The Interagency Management Council’s Transition Working Group (TWG) has 
asked agencies seeking to qualify for transition cost reimbursement to complete Fair 
Opportunity decisions by September 2008. GSA recommends agencies target the 
completion of Fair Opportunity decisions by March 2008 to ensure sufficient time 
to complete transition of services prior to the expiration of FTS200 1/Crossover 
Bridge contracts. 

Currently, one major agency has completed a Fair Opportunity Analysis and se- 
lected a service provider (Treasury). As of February 2008, GSA has received 21 
Statements of Work (SOWs), and anticipates at least 58 more SOWs from major 
agencies by September 2008. 

The TWG deadline for agencies to submit all transition orders is April 2010. GSA 
recommends agencies target the submission of all transition orders to the extent 
possible for January 2009 to allow sufficient time for service providers to complete 
the processing of all orders and establish service on the new contracts before the 
expiration of FTS200 1/Crossover Bridge contracts. 

In concert with Networx transition, Einstein will be deployed at the appropriate 
external connections, including Internet points of presence; 14 departments and/or 
agencies have currently deployed Einstein. Einstein is an intrusion detection system 
managed by DHS to collect, analyze, and share aggregated network computer secu- 
rity information across the Federal Government. As a result of these deployments, 
agencies maintain an awareness of their network while DHS maintains awareness 
of Government-wide information security threats and vulnerabilities. With this in- 
formation, agencies will be able to quickly take corrective action and reduce their 
risk to a manageable level. 

Agencies are also taking advantage of products and services offered by the Infor- 
mation System Security Line of Business (ISSLOB). This initiative, led by DHS and 
OMB was introduced in the Spring of 2005. An inter-agency Task Force identified 
common solutions to be shared across Government. The Task Force identified com- 
mon solutions in four areas: security training; FISMA reporting; situational aware- 
ness/incident response; and selection, evaluation and implementation of security so- 
lutions. 
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All agencies were asked to submit proposals to either become a Shared Service 
Center (SSC) for other agencies, or migrate to another agency from which they 
would acquire expert security awareness training services and FISMA reporting 
services. DHS helped coordinate the selection of SSCs, and agency implementation 
of these services. 

As of November 2007, 12 agencies had implemented security awareness training 
services provided by three approved SSC, and 13 agencies had begun using FISMA 
reporting services provided by two approved SSC. As a result, agencies are begin- 
ning to reduce duplicative investment in common security tools, ensuring a baseline 
level of training and reporting performance, and are able to refocus their efforts to 
other complex and critical security issues at their agency. OMB expects agencies 
will fully report the number of employees trained via the ISSLOB in their fiscal 
year 2008 annual FISMA report. 

Finally, vulnerabilities result from weaknesses in technology as well as improper 
implementation and oversight of technological products. Over the past year, in col- 
laboration with NIST, the Department of Defense, the National Security Agency, 
and Microsoft, we have developed a set of information security controls to be imple- 
mented on all Federal desktops which are running Microsoft Windows XP or VISTA. 
This set of controls, known as the Federal Desktop Core Configuration (FDCC) is 
currently being implemented across the Federal enterprise. By implementing a com- 
mon configuration, we are gaining better control of our Federal systems, and allow- 
ing for closer monitoring and correction of potential vulnerabilities. Security configu- 
rations provide a baseline level of security, reduce risk from security threats and 
vulnerabilities, and save time and resources. In particular, security configurations 
help protect connections to the Internet and limit the download of Internet applica- 
tions to only authorized professionals. 

In addition to the desktop configuration, we are also working with the vendor 
community to make their applications safer. As part of this program, NIST has de- 
veloped testing tools for use by both Federal agencies and vendors. NIST awarded 
Security Content Automation Protocol (SCAP) Validation to three products as of 
February 4, 2008. These products and their associated validation information can 
be found at http: // nvd.nist.gov / scapproducts.cfm. Three independent laboratories 
have been accredited by the NIST National Voluntary Laboratory Accreditation Pro- 
gram (NVLAP) for SCAP Product Validation testing. The list of accredited labs is 
available at the same URL. We are very optimistic this program will greatly en- 
hance the security of our Federal desktops, and, of our Federal enterprise as a 
whole. To help agency procurement officers ensure that new acquisitions include 
common security configurations, we have provided agencies with recommended pro- 
curement language. This language can be found in our Memorandum M-07-18, “En- 
suring New Acquisitions Include Common Security Configurations,” at littp:! / 
www.whitehouse.gov /omb /memoranda/ fy2007 Im07-18.pdf. Currently, the Federal 
Acquisition Council is in the process of adding similar language to the Federal Ac- 
quisition Regulation. 

These initiatives described in my testimony today in combination with other ad- 
ministration initiatives (including: IPv6, HSPD-12, minimum communications capa- 
bilities for continuity of Government and continuity of operation plans, and IT Infra- 
structure Line of Business) address our potential security gaps, help agencies opti- 
mize their information infrastructure, and facilitate appropriate network consolida- 
tion and configuration. In turn, agencies will be able to better manage their infor- 
mation infrastructure, allowing them to reduce risks to an acceptable level. 

In closing, OMB is committed to a Federal Government with resilient information 
systems. The dangers posed by the internet must not be allowed to significantly af- 
fect agency business processes or disrupt services to the citizen. I would like to ac- 
knowledge the significant work of agencies and IGs in conducting the annual re- 
views and evaluations. This effort gives OMB and the Congress much greater visi- 
bility into agency security status and progress. 

While notable progress in resolving IT security weaknesses has been made, prob- 
lems remain in agency implementation and new threats and vulnerabilities continue 
to materialize. Work remains to continue to improve the security of the information 
and systems supporting the Federal Government’s missions and manage the risk as- 
sociated with these systems. To address these challenges, OMB will continue to 
work with agencies, GAO, and Congress to promote appropriate risk-based and cost- 
effective IT security programs, policies, and procedures to adequately secure our op- 
erations and assets. 

Chairman Thompson. Thank you very much. 

The Chair now recognizes Mr. Jamison for 5 minutes. 
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STATEMENT OF ROBERT D. JAMISON, UNDER SECRETARY, NA- 
TIONAL PROTECTION AND PROGRAMS DIRECTORATE, DE- 
PARTMENT OF HOMELAND SECURITY, ACCOMPANIED BY 

SCOTT CHARBO, DEPUTY UNDER SECRETARY, NATIONAL 

PROTECTION AND PROGRAMS DIRECTORATE, DEPARTMENT 

OF HOMELAND SECURITY 

Mr. Jamison. Thank you, Mr. Chairman. 

Chairman Thompson. Congressman McCaul and Members of the 
committee, I appreciate the opportunity to update you on the De- 
partment of Homeland Security’s efforts to improve America’s 
cybersecurity posture. 

I also appreciate the committee’s interest in the Cyber Initiative. 
The Department and our interagency partners are committed to an 
ongoing engagement with Congress in an appropriate setting on 
the classified aspects of our activities. 

In my role as under secretary for the National Protection and 
Programs Directorate, one of my most important programmatic ac- 
tivities has been cybersecurity, and I have served as the lead DHS 
official for the Cyber Initiative since last summer. 

I am pleased this morning to be joined on this panel by my es- 
teemed colleagues from OMB, Karen Evans, and the former DHS 
chief information officer and just recently appointed deputy under 
secretary, Scott Charbo. 

Secretary Chertoff identified cybersecurity as one of the Depart- 
ment’s top priorities for 2008, and the President’s 2008 and 2009 
budgets reflect this priority. We are aware of, and have defended 
against, malicious cyber activity directed at the U.S. Government. 
We take these threats seriously and remain really concerned that 
this activity is growing more sophisticated, more targeted and more 
prevalent. 

The nature of the threat is diverse, ranging from unsophisticated 
hackers to very technically competent adversaries using state-of- 
the-art intrusion techniques. Many of these malicious attacks are 
designed to steal information and disrupt, deny access to, degrade 
or destroy critical Federal information systems. 

Over the past 4 months, the Department has provided this com- 
mittee with several classified briefings on a number of different 
cyber-related topics, including threats. The Department and our 
interagency partners remain committed to an ongoing dialog with 
Congress in an appropriate setting on these classified topics. 

DHS has the lead responsibility for assuring the security resil- 
iency and reliability of the Nation’s information technology and 
communications infrastructure. Since 2003, the Department has 
been investing in the development of a nimble, effective cyber 
emergency response capability and a culture of preparedness. 
These activities have positioned DHS to play a key role in this im- 
portant initiative we will discuss today. 

We have established the National Cyber Security Division to 
focus on securing cyberspace. In NCSD, we have built a 24x7 
watch, warning and response operation centers to defend against 
and respond to cyber attack, the US-CERT. US-CERT has devel- 
oped and deployed an Einstein program, which provides Govern- 
ment officials with situational awareness about malicious activity 
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across the Federal civilian network so we can protect against and 
respond to cyber threats more effectively. 

Under the National Infrastructure Protection Plan framework, 
we have also worked closely with our private sector partners to de- 
velop 17 sector-specific plans, which all include a cybersecurity 
component. 

We are here today because we must do more. The Federal Gov- 
ernment has a vast information interstate system with thousands 
of points of access. At last count, the Federal network had at least 
4,000 access points. Defending the Federal system in its current 
configuration is a significant challenge. Implementing effective de- 
fensive strategies requires a manageable number of access points. 
Therefore, we are working with OMB to reduce the number of ac- 
cess points. 

As we reduce the number of access points, we plan to employ an 
enhanced intrusion detection capability, enhanced Einstein. While 
valuable, currently our Einstein capability is limited. We do not 
have comprehensive coverage, and it is a delayed flow analysis tool. 
We need to enhance the capability through comprehensive coverage 
across our Federal system external access points and upgrade Ein- 
stein to detect malicious activity in real time. 

Our goal is a comprehensive, consistent intrusion detection capa- 
bility that is informed by our full understanding of the threat. 

Mr. Chairman, the threat is real. To defend our networks, a com- 
prehensive situational awareness capability must augment the 
foundation already in place at the Department. We will achieve 
this improved situational awareness by consolidating our Federal 
connections, enhancing our intrusion detection capabilities, improv- 
ing our threat assessment and information-sharing capabilities and 
building a stronger watch and warning system. 

These changes, coupled with an investment in our people, proc- 
esses and systems, will enable the Federal Government to apply 
the full capabilities to the defense of our networks. 

Thank you for the opportunity to update you today on DHS’ ef- 
forts to improve America’s cybersecurity posture, and I welcome the 
questions. 

Thank you. 

[The statement of Mr. Jamison follows:] 

Prepared Statement of Robert D. Jamison 
February 28, 2008 

INTRODUCTION 

Chairman Thompson, Congressman King, and Members of the committee, I ap- 
preciate the opportunity to speak about the Department of Homeland Security’s on- 
going efforts to improve cybersecurity. I also appreciate the committee’s continued 
interest in the Department’s cybersecurity activities and in particular the Depart- 
ment’s role in Comprehensive National Cybersecurity Initiative. As we have done 
since last year, the Department and our interagency partners will continue to en- 
gage with the committee and Congress in an appropriate setting on the classified 
portions of our activities. 

As our economy, critical infrastructure, and national security become more reliant 
on technology, it is essential that we take proactive measures to enhance the secu- 
rity and resiliency of the information technology (IT) systems and networks on 
which we rely. We face increasing global threats to our cyber infrastructure, and 
the exploitation of vulnerabilities is facilitated by the widespread availability of 
tools, techniques, and information. The Department has made progress in enhancing 
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the cybersecurity of the Nation; however, we recognize the need to take deliberate 
action to reinforce and build on those efforts as the threat grows. To underscore the 
Department’s efforts in this area, Secretary Chertoff has identified cybersecurity as 
one of the top priorities for the Department for 2008. The enacted fiscal year 2008 
and the President’s proposed fiscal year 2009 budget reflect the necessary invest- 
ment for this priority. 

The Department has outlined four areas of focus within cybersecurity to guide our 
efforts over the coming year. First, we are enhancing Federal cyber situational 
awareness, intrusion detection, information sharing, and response capabilities. Sec- 
ond, we are expanding the Department’s cadre of cybersecurity personnel, its capa- 
bilities, and its services to our public and private sector partners. Third, we are 
strengthening our efforts to integrate cybersecurity into Federal, State, private sec- 
tor, and international preparedness, response, and resilience efforts. Finally, we are 
developing and promoting the adoption of proven cybersecurity practices with Gov- 
ernment, private sector, the general public, and the international community. 

Today, I will provide an overview of the Department’s efforts to improve 
cybersecurity across Federal departments and agencies will focus on our first pri- 
ority. Specifically, I will address two programs focused on cyber risk reduction 
across the Federal enterprise: the Trusted Internet Connections initiative (TIC) and 
the EINSTEIN program. 

cybersecurity: a departmental priority 

As Under Secretary for the National Protection and Programs Directorate 
(NPPD), I oversee the Directorate’s efforts to advance the Department’s mission of 
risk reduction, which encompasses identifying threats, determining vulnerabilities, 
and targeting resources where risk is greatest, including to our critical information 
systems. A key area within this mission includes the Office of Cybersecurity and 
Communications’ (CS&C) efforts to improve cybersecurity by reducing risk to the 
Nation’s cyber infrastructure and maintaining the resilience of our communications 
systems. The 2007 National Strategy for Homeland, Security articulated the impor- 
tance of this mission by recognizing that many of our essential and emergency serv- 
ices, including our critical infrastructure, “rely on the uninterrupted use of the 
Internet and the communications systems, data, monitoring, and control systems 
that comprise our cyber infrastructure. A cyber attack could be debilitating to our 
highly interdependent [Critical Infrastructure and Key Resources] and ultimately to 
our economy and national security.” 

Global threats to our cyber infrastructure and to the services, systems, and assets 
that depend on them continue to increase. The nature of the threat is large and di- 
verse and ranges from unsophisticated hackers to very sophisticated adversaries. 
We are seeing more state-of-the-art intrusion techniques designed to disrupt, deny 
access to, degrade, or destroy critical information systems and steal our intellectual 
capital and proprietary information. 

The Department is positioned to address these threats through our watch, warn- 
ing, and response capabilities; our information sharing and coordination efforts with 
the public and private sectors; and our programs and initiatives through the Na- 
tional Cyber Security Division (NCSD) and United States Computer Emergency 
Readiness Team (US-CERT). These programs and initiatives are designed to carry 
out our mission of preparing for and responding to incidents that could degrade or 
overwhelm the operation of our Federal IT and communications infrastructure. 

SECURING FEDERAL DEPARTMENTS AND AGENCIES 

Since its inception, the Department of Homeland Security has been working to 
strengthen Federal and critical infrastructure systems and enhance our cyber oper- 
ational response capabilities. The Department established a number of programs 
and initiatives to coordinate efforts with Federal departments and agencies to im- 
prove cybersecurity. These programs focus on enhancing situational awareness, in- 
creasing collaboration across Federal operational security teams, preventing cyber 
incidents, and providing inter-agency coordination during a cyber event. 

The Department conducts outreach to Federal departments and agencies to raise 
cybersecurity awareness with operational security teams and senior official through 
channels such as the Government Forum of Incident Response and Security Teams 
(GFIRST). GFIRST is a community of more than 50 incident response teams from 
various Federal agencies working together to improve Federal Government security. 
The Department sponsors the annual GFIRST Conference, which fosters greater in- 
formation sharing among IT security professionals from various departments and 
agencies. The 2007 conference garnered unprecedented attendance, including more 
than 550 IT professionals, representing numerous Federal departments and agen- 
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cies, including more than 100 attorneys from the Department of Justice. We expect 
similar success at the upcoming GFIRST Conference in June 2008. 

To enhance collaboration on control systems security across the Federal Govern- 
ment, NCSD established and facilitates the Federal Control Systems Security Work- 
ing Group, consisting of over 30 Government organizations. Since late 2006, this 
group has been developing a Federal Coordinating Strategy to Secure Control Sys- 
tems, which seeks to place related Federal control systems activities into a unified 
framework, assess opportunities for sharing and leveraging information and re- 
sources, and identify possible gaps in Federal efforts. In addition, NCSD is working 
with other Federal organizations, such as the Tennessee Valley Authority and the 
U.S. Army Corps of Engineers, to provide control systems specific tools in their 
areas of responsibility. 

NCSD co-chairs the National Cyber Response Coordination Group (NCRCG) with 
the Department of Justice (DOJ) and the Department of Defense (DoD) to coordi- 
nate response to a cyber incident across the Federal Government. The NCRCG 
serves as the principal interagency mechanism for providing subject matter exper- 
tise, recommendations, and strategic policy support to the Secretary of Homeland 
Security during and in anticipation of a cyber incident. The NCRCG comprises sen- 
ior representatives from Federal agencies that have roles and responsibilities re- 
lated to preventing, investigating, defending against, responding to, mitigating, and 
assisting in the recovery from cyber incidents. The senior-level membership of the 
NCRCG helps ensure that during a significant national incident, appropriate Fed- 
eral capabilities will be deployed in a coordinated and effective fashion. 

To ensure processes and procedures involved with response to cyber incidents are 
up-to-date and comprehensive, the Department sponsors exercises to allow partici- 
pants in the public and private sector to examine their cyber response capabilities. 
In February 2006, the Department held the first National Cyber Exercise — Cyber 
Storm — to examine various aspects of our operational mission, including collabora- 
tion with Federal departments and agencies. The Department and other partici- 
pants continues to address lessons learned and after-action items from the exercise. 
Progress made to improve response processes and procedures will be measured in 
Cyber Storm II, which is scheduled for March 2008. Cyber Storm II will simulate 
a coordinated, large-scale cyber attack on four of the Nation’s critical infrastructure 
sectors. The exercise will include participants from 18 Federal departments and 
agencies, 9 States, over 40 private sector companies, and 4 international partners. 
For the Federal Government Cyber Storm II will exercise strategic incident response 
decisionmaking and interagency coordination in accordance with national-level poli- 
cies and procedures. The exercise will strengthen the ability of participating organi- 
zations to prepare for, protect against, and respond to the effects of cyber attacks. 

US-CERT is the Department’s watch and warning mechanism for the Federal 
Government’s internet infrastructure. It provides around-the-clock monitoring of 
Federal network infrastructure and coordinates the dissemination of information to 
key constituencies including all levels of Government and industry. In addition, US- 
CERT serves as the main component for helping Government, industry, and the 
public work together to respond to cyber threats and vulnerabilities. A main area 
of focus for US-CERT is our work with Federal departments and agencies. US- 
CERT provides Government partners with actionable information needed to protect 
information systems and infrastructures. In addition, US-CERT leverages its tech- 
nical expertise to further efforts to secure Federal networks and systems through 
targeted programs, such as the Trusted Internet Connections (TIC) initiative and 
EINSTEIN. 

Trusted Internet Connections Initiative 

The Trusted Internet Connections (TIC) initiative is a multifaceted plan to im- 
prove the Federal Government’s security posture by significantly reducing the num- 
ber of Federal external connections. External connections include, but are not lim- 
ited to, any connection outside a department or agency, such as government-to-gov- 
ernment connections and Internet access points. Currently, there are several thou- 
sand Federal external connections. The existence of such a large number inhibits 
the Federal Government’s ability to implement standardized security measures ef- 
fectively. The TIC initiative aims to reduce and consolidate the number of external 
connections to create a more clearly defined “cyber border.” Fewer external connec- 
tions will enable more efficient management and implementation of security meas- 
ures and reduce avenues for malicious attacks. Once fully implemented, the TIC ini- 
tiative will facilitate security standardization for access points across the Federal 
Government. 

The Office of Management and Budget (OMB ) maintains oversight of the TIC ini- 
tiative, and implementation relies on the technical expertise of US-CERT, all par- 
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ticipating Federal departments and agencies, and the Information Systems Security 
Line of Business (ISS LOB). The ISS LOB is part of the President’s Management 
Agenda to expand Electronic Government. The goal of the ISS LOB is to address 
those areas of information security which are common to all agencies and are not 
specific to the mission of any individual agency, ultimately resulting in improved 
information systems security. OMB has selected DHS as the managing agency for 
the ISS LOB, and DHS, through the NCSD, is leveraging its role in the ISS LOB 
to enhance the TIC initiative. 

OMB announced 1 the TIC initiative to the heads of Federal Government depart- 
ments and agencies in November 2007, subsequently outlining the specific steps de- 
partments and agencies should take as part of the initiative, including compiling a 
comprehensive inventory of each department and agencies’ existing network infra- 
structure. Each department and agency is required to develop a Plan of Actions and 
Milestones (POA&M) to reduce and consolidate the number of external connections 
with a target completion date of June 2008. NCSD is in the process of reviewing 
initial POA&M submitted to NCSD, via the ISS LOB, for review to ensure complete- 
ness and alignment with the goals and objectives of the TIC initiative. In addition, 
US-CERT and the ISS LOB created an interagency technical working group to es- 
tablish, for OMB’s approval, a list of requirements and standards for the implemen- 
tation of each TIC. Once approved, these requirements will be passed to the depart- 
ment and as for implementation. 

The reduction of external connections will have a number of benefits for the Fed- 
eral Government, particularly when coupled with other security measures. First, 
fewer external connections will provide the ability to establish a central oversight 
and compliance function. This central function will benefit Federal systems by facili- 
tating the implementation of standardized information security policies. In addition, 
the TIC will enable the implementation of 24-hour watch and warning capabilities 
across the Federal Government and enable faster and more effective response to 
cyber incidents. The TIC will also enable the rollout of an intrusion detection system 
across Federal networks to provide better situational awareness, earlier identifica- 
tion of malicious activity, and overall, a more comprehensive network defense. 

The EINSTEIN Program 

The EINSTEIN program is another critical element of our efforts to increase 
cybersecurity across Federal departments and agencies. EINSTEIN is a collabo- 
rative information-sharing program that was developed in response to increasingly 
common network attacks on and disruptions to Federal systems. The program was 
initially established to help departments and agencies more effectively protect their 
systems and networks and to generate and report necessary IT-related information 
to US-CERT. EINSTEIN enhances situational awareness of the Federal Govern- 
ment’s portion of cyberspace, allowing US-CERT and cybersecurity personnel to 
identify anomalies and respond to potential problems quickly. EINSTEIN is pres- 
ently deployed at 15 Federal agencies, including the Department of Homeland Secu- 
rity, and US-CERT is in the process of deploying EINSTEIN across all Federal de- 
partments and agencies. With the TIC initiative providing a reduced number of ex- 
ternal connections, EINSTEIN will be able to more effectively monitor activity 
across Federal Government networks. 

The EINSTEIN program supplements departments’ and agencies’ intrusion detec- 
tion systems by monitoring their networks from outside their firewalls, 24 hours a 
day, 7 days a week. EINSTEIN utilizes an automated process for rapidly collecting, 
correlating, analyzing, and sharing government computer security information with 
US-CERT and department and agency system administrators. EINSTEIN utilizes 
a specific tool set to analyze network flow, which is comprised of a brief summary 
of a network connection, including source, destination, time, bytes, and packets 
transferred. 

US-CERT deploys EINSTEIN to Federal departments and agencies, along with 
all necessary hardware, software, support services, and staff training. Once imple- 
mented within a Federal department or agency, EINSTEIN identifies and estab- 
lishes a baseline for normal network operational activity. From this baseline, secu- 
rity personnel are able to identify unusual network traffic patterns and trends, such 
as configuration problems, unauthorized network traffic, network backdoors, routing 
anomalies, and unusual network scanning activities. With this information, security 
personnel can quickly identify, prevent, and respond to potential problems. 

EINSTEIN analyzes the information collected and posts it to a secure internet 
portal, which only approved personnel can access. System administrators from par- 
ticipating departments and agencies review their data and determine if any mitiga- 


1 The TIC was announced in OMB Memorandum 08-05. 
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tion activities are necessary, often in collaboration with US-CERT. Simultaneously, 
US-CERT personnel analyze the data from participating department and agency 
networks to determine if any recurring patterns and trends exist, potentially indi- 
cating the presence of malicious cyber activity targeting the Government as a whole. 
If US-CERT finds such patterns of unusual activity across multiple agencies, US- 
CERT notifies appropriate stakeholders and coordinates mitigation and response ac- 
tions as necessary. 

EINSTEIN already has proven successful in enhancing security within the Fed- 
eral Government. For example, through the Department of Transportation’s (DOT’s) 
participation in the EINSTEIN program, we were able to quickly detect malicious 
activity and prevent it from infecting other government computers. In this case, a 
computer worm had infected an unsecured government computer in a U.S. Govern- 
ment agency. When the worm, in its attempts to increase its network of infected 
computers, tried to attack DOT’s network, EINSTEIN detected the unusual traffic. 
After further investigation, US-CERT discovered the worm and worked with the af- 
fected departments and agencies to prevent its spread. 

EINSTEIN reduces the time it takes to gather and share critical data on com- 
puter security risks from an average of 4 to 5 days to an average of 4 to 5 hours. 
Quick notification results in the Federal Government being able to respond to inci- 
dents and mitigate potential problems more efficiently and effectively. Government- 
wide deployment of EINSTEIN will further enhance the ability of US-CERT to gain 
a more comprehensive view of Federal systems, increasing US-CERT’s analytic ca- 
pabilities and augmenting the extent and quality of US-CERT’s information sharing 
activities. Together with the TIC, broad deployment of EINSTEIN will increase our 
ability to address potential threats in an expedited and efficient manner. 

CONCLUSION 

Securing the Nation’s IT systems and networks in an environment of increasing 
global threats by agile and sophisticated adversaries is a difficult challenge that re- 
quires a coordinated and focused effort. Secretary Chertoffs prioritization of 
cybersecurity for the year ahead underscores the importance of this challenge. Ac- 
cordingly, the Department is working with its Federal partners to develop and im- 
plement a holistic strategy for securing our Federal networks and systems. 

We have established a strong foundation of programs and activities to address the 
dynamic threat, and we continue to expand and improve upon those programs 
through new and enhanced efforts. The TIC’s reduction of Internet access points and 
EINSTEIN’s situational awareness capabilities are examples of initiatives designed 
to prevent the disruption of Federal critical infrastructure from unauthorized users 
that penetrate Federal systems and steal or compromise vital or sensitive informa- 
tion. 

Government-wide deployment of TIC and EINSTEIN enables strategic, cross- 
agency assessments of irregular or abnormal Internet activity that could indicate a 
vulnerability or problem in the system. These programs enhance Federal Govern- 
ment cybersecurity by providing more robust security monitoring capabilities to fa- 
cilitate the identification and response to cyber threats and attacks. They contribute 
to the improvement of network security, increasing the resilience of critical elec- 
tronically delivered government services, and enhancing the survivability of the 
internet. 

The Federal Government is committed to increasing its capabilities to address 
cyber risks associated with our critical networks and systems. Every Federal depart- 
ment and agency plays a role in and adds to the protection of our Nation and its 
citizens from cyber threats. 

Thank you for your time today, and I am happy to answer any questions from 
the committee. 

Chairman Thompson. Thank you very much. 

I thank the witnesses for their testimony. 

I now remind each member that he or she will have 5 minutes 
to question the panel. 

I now recognize myself for the first set of questions. 

Mr. Charbo, we had a hearing in June of last year where Mr. 
Langevin chaired the subcommittee, and it was quite revealing 
that a number of attacks had occurred on our system, and perhaps 
we were not as notified, or you and your Department, of many of 
those attacks until a contractor informed you of that. The infa- 
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mous, “You don’t know what you don’t know,” comment was in re- 
sponse. 

Now, to the extent possible, since that hearing, can you give this 
committee the follow-up as to what you have instituted in your pre- 
vious position and this present position to prevent such attacks? 

Mr. Charbo. Thank you, Mr. Chairman. 

At that hearing, we were asked about some of the security notifi- 
cations that we have had on our networks through our intrusion 
detection systems. In 2005, we looked at the current contract that 
we had on those local networks. We identified gaps, and we put 
dollars in place to fill a lot of those gaps, including putting contract 
support in place for that. We also identified a need to recompete 
that contract, which we have done. 

It is true that at the time of that hearing, I had not been read 
into any of the specific threat vectors that are in place and that we 
are now aware of. The first briefing that we did have was with 
OMB — that was to the general CIO Council, and since that, we 
have had follow-up briefings. This initiative has caused a number 
of briefings, and my staff and I have also gone out and pretty ag- 
gressively looked toward any sources we can to identify briefings 
that get beyond a sensitive but unclassified or even a secret level. 

At the time, we said, “We are only focused on the data. That is 
all we can look at in terms of data of intrusion sets, et cetera, to 
identify anything back to whether it is a nation state attack or 
what is the nature of the vulnerability.” We are still in that phase. 
There’s a handful of issues that we are continuing to look at. Those 
in a classified state. We take every security incident very seriously 
at the operation. 

At the Department of Homeland Security, we have instituted 
several issues since I have started at that Department. The one we 
have spoke about many times is OneNet. We have said very pub- 
licly, “That is the most important IT project that we can put in 
place at the Department.” That is a consolidation of a wide area 
of points of access. It mirrors very closely to what the TIC effort 
is about. 

We want to put state-of-the-art intrusion detection at those ac- 
cess points that includes Einstein and other services. We have put 
that in place. We have put a security operations center in place 
that is 24x7. 

We are beginning to peer to those from our different components 
at the Department. We have raised the classifications of the CIOs, 
of our security, administrators, of our network administrators, of 
our deputy CIOs so that no longer are they just getting an unclas- 
sified brief. Quite honestly, what you get in that state is just a 
piece of information that is very difficult to interpret back to any 
attribution at all or to identify what the gaps are. 

What makes it even more difficult at the Department of Home- 
land Security is we are an immigration agency, which we have cli- 
ents from outside of this country who are trying to receive informa- 
tion on our public points of access, as well as law enforcement 
points, as well as border and port agencies. So we have done a 
number of things before the hearing, since the hearing in order to 
shore up our security operations at the Department, including 
doing a number of recompetitions and rebuilds of certain applica- 
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tions, moving it to our points of access, which were part of the 
OneNet project. 

Chairman Thompson. Thank you. We will come back to some 
other questions. 

I yield to the Ranking Member for questions. 

Mr. McCaul. Thank you, Mr. Chairman. 

I just want to follow up on the Chairman’s line of questioning, 
because at the last hearing, when you testified, it did raise some 
serious concerns. You are the chief information officer for the De- 
partment of Homeland Security. There is a major threat of intru- 
sion into our Federal networks, and yet you are not read into, as 
you said, read into the threat factors at the time. I understand you 
didn’t know what you didn’t know, but who was responsible for en- 
suring that you had that information, that didn’t get you that infor- 
mation that you should have had? 

We talk a lot after 9/11 about silos and not connecting the dots, 
not sharing information, and yet we have what I consider to be a 
major breach at the Federal level of not sharing information that 
should have been shared with you. I mean, you are the CIO of 
Homeland Security, and you didn’t have this threat factor informa- 
tion. 

Can you tell me what happened? Then I think you explained 
what you have done to correct that; that is the good news. You had 
a clearance, I assume, at the time. But you said you have upgraded 
now all the CIOs, they have the clearance to share that informa- 
tion. 

What happened back then? 

Mr. Charbo. It is difficult to tell what happened, sir. The brief- 
ings that we get are on a compartmentalized basis. They are tear 
lines between information moving down from classifications level. 
Most of the information that we got prior was at an unclassified 
level. At that point, it is very difficult to interpret that. 

If I can bring this back to the hearing point, in terms of the en- 
terprise network, I think this is an issue that is going to have to 
be addressed across a lot of the components — raising classification 
levels, moving information onto secure networks and not trying to 
do this on our unclassed networks — and that is going to be a train- 
ing, a clearance issue, a network issue. We have addressed that. 

Once we do have the information at Homeland, I think we have 
moved very aggressively in terms of raising the visibility with our 
key points. We have taken that to mean our CIOs within the De- 
partment, our security officers within the Department, our network 
administrators. We can bring together in classified settings, action 
those and then task those on in an unclassified point of presence. 

All I can say is, prior to that there were gaps in that. 

Mr. McCaul. You suffered from that gap, obviously, and I think 
as we move forward with this initiative and as Congress provides 
its oversight in how best to implement this initiative, that has got 
to be one of the key factors to make sure the CIOs for each of the 
major Federal agencies involved with this initiative are certainly 
read into the classification level to share that kind of threat infor- 
mation. I mean, we have gotten the reports that the Federal Gov- 
ernment has had massive intrusions into its Federal networks, and 
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it seems to me the CIOs of these agencies should be aware of that 
fact to better protect itself. 

I know this is part of the initiative, but I would encourage you 
to make this a priority in this initiative, and we will be looking at 
that issue. 

Mr. Jamison, did you have a comment? 

Mr. Jamison. Yes, sir. Congressman, you are exactly on point: 
This is one of the fundamental challenges that we are facing, and 
a lot of the threat information was extremely classified. What we 
are talking about trying to do is get comprehensive situational 
awareness. 

So as we improve our Einstein deployment, improve intrusion de- 
tection, we are also coordinating with our intelligence components 
and all of the Federal Government agencies that have threat infor- 
mation so we can get more real-time information to the CIOs and 
to the network operation centers and security operation centers so 
that they can take defensive action. That is the top priority. 

Mr. McCaul. My second question is, under this initiative — I am 
a believer in clear lines of authority. When you have these mergers 
and partnerships and sharing agreements and what not, you need 
to know who is in charge and who is in charge of the budget. 

Under this initiative, can you tell me — maybe Mr. Jamison — who 
is in charge here? 

Mr. Jamison. Sure. First, let me caveat this statement by, I 
would be happy to give you a detailed briefing on the full budget, 
including the classified parts in a close session. 

For what we are talking about today, for the TIC consolidation, 
we share the lead with OMB on helping them consolidate internet 
access points, but we have the lead to deploy the intrusion detec- 
tion, to own, operate and manage the intrusion detection and come 
up with that comprehensive situational awareness picture. 

There are many more parts to this initiative that I can’t discuss 
openly in this forum and would be happy to give you a classified 
briefing on that. 

Mr. McCaul. I understand that. I think at one of the hearings 
that the Chairman of the subcommittee, Langevin, and I had, we 
had testimony that the DHS was not really coordinating, certainly 
as well as we would hope, with the Department of Defense, and I 
know that may be getting into a classified area. I hope that is an 
area that will be focused on as well. They certainly have great ex- 
pertise in this area that I think the DHS could be of great value 
to you in terms of the coordination. So I certainly hope that takes 
place. 

Then, last, we heard about the declassified operation, Aurora, 
where the Idaho National Labs found a vulnerability where a 
power grid could be shut down, exploited, with the click of a mouse. 
That causes, obviously, shockwaves, I think, through not only in 
the Federal Government but also the administration and the Con- 
gress, in terms of the vulnerability. 

That is great work, though, in terms of detecting that vulner- 
ability and fixing it. 

Can I hear from you maybe some of the lessons learned from this 
project and what you are doing to protect the United States? 
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Mr. Jamison. Sure. I think it was a success story. I think, as al- 
ways, when you look back there is always room for improvement. 
But what happened with the Aurora vulnerability is research that 
was funded by the Department of Homeland Security through our 
lab networks identified the vulnerability. Once we identified the 
vulnerability, we worked through the national security infrastruc- 
ture protection process and our interagency partners to validate 
that there was a vulnerability and actually develop mitigation 
plans. 

We developed those mitigation plans and tested those mitigation 
plans and actually came up with a dissemination plan within that 
NIPP framework, leveraging both our interagency partners and the 
Federal Government and our private sector partners and drove 
those implementation plans. 

We continue to monitor the implementation plans. We are 
pleased with the results. What we must continue to do is make 
sure that we are able to validate that those measures are still 
being taken in the field and we continue to pursue enhanced 
cybersecurity. 

But I do think it was a success story, especially given the fact 
of the sensitivity of the information and the challenges with trying 
to get implementation measures down the field while you don’t 
highlight a vulnerability, and I think the system worked. 

Mr. McCaul. I agree with that and look forward to hearing more 
about it. 

Thank you, Mr. Chairman. 

Chairman Thompson. Thank you very much. 

I now recognize the gentleman from Rhode Island and Chairman 
of the subcommittee for 5 minutes, Mr. Langevin. 

Mr. Langevin. Thank you, Mr. Chairman. I appreciate you yield- 
ing, and I appreciate the witnesses for their testimony. I have deep 
appreciation for the Chairman’s line of questions, as well as the 
Ranking Member, about who knew what when and this issue of 
silos. 

Obviously, the Department of Homeland Security being the lead 
agency for security needs to know what threats we are facing and 
making sure that the dots are connected, and I haven’t been satis- 
fied previously that that had been happening. I hope that this is 
changing, and we heard some of that in your testimony today. 

I am not going to go on about that, but I will say, obviously, for 
years now, our Federal networks have been under attack, and I be- 
lieve that the infiltration and exploitation of these networks is one 
of the most critical issues confronting our Nation. The acquisition 
of our Government’s information by outsiders undermines our 
strength as a Nation, and if sensitive information clearly is stolen 
and absorbed, our systems are hacked by our adversaries, clearly, 
we are strategically harmed. 

I don’t believe that this administration, at least up until now, 
has made cybersecurity the priority that it should be. I believe that 
is starting to change, and with the right vision and leadership, I 
believe we can improve security of our Federal networks and our 
critical infrastructure. 

There are some promising elements of the Cyber Security Initia- 
tive, but there are still some gaping holes, and I just want to as- 
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sure the American people that under Chairman Thompson’s leader- 
ship and the work that we are doing on our subcommittee that we 
are going to continue to perform robust oversight of this issue. 

In terms of questions, in terms of what I see as gaps, what I 
want to know is, how many and what kinds of connections does the 
trusted internet connection cover? For instance, does the TIC cover 
government-to-contractor network connections? Because we know 
that it is not only about the security on networks but authorized 
intrusions. We need to be secure about that. 

We had problems right at the Department of Homeland Security 
where we had contractors plugging unauthorized laptops into our 
own network, which you have viruses on there that infiltrate our 
networks. So you could be securing your networks but if you have 
unauthorized access, that is a problem. 

Also does it cover Federal-to-State and local connections? What 
about public service e-gov Web sites, such as student loans at the 
Department of Education or Social Security or the IRS e-file site? 
How about law enforcement internet connections used for inves- 
tigative purposes? 

So I would like you to answer that, as well as what will the 
Cyber Initiative do to secure federally owned or privately owned 
critical infrastructure, such as nuclear power plants and the elec- 
tric grid from cyber attacks? As part of the TIC consolidation, will 
you consolidate connections between federally owned critical infra- 
structure and the internet? In other words, will dams operated by 
the Bureau of Reclamation or power plants operated by the TVA 
consolidate their connections, and will you install Einstein on these 
connections? 

Ms. Evans. I would be happy to answer the first part of the 
question, which is, what types of connections, and the way that we 
are approaching it is, it is all external connections. 

As you clearly outlined, any external connection to an entity 
causes or poses a risk. So all agencies were required to report back 
to DHS by the guidance of OMB to tell how many external connec- 
tions, and that is all of them, whether it is going to a Federal con- 
tractor, whether it is your internet point of presence, whether it is 
a direct connect between you and another. If it is external to your 
operation, it counts and it is being looked at as part of this effort. 

Because we need to manage the risk associated with those, be- 
cause this is a shared responsibility of managing the risk by de- 
partment, by department. They all have to look at what type of in- 
formation they have, what type of services they are providing and 
then manage the risk accordingly to that. 

So they have all reported in. We gave them a reporting template. 
We have the number baseline of connections that they have right 
now so that we can then move to optimize those going forward. 

Mr. Langevin. And the second part of the question? 

Mr. Jamison. I will just follow up on the critical infrastructure. 

As Karen mentioned, we are focused on all external connections 
and getting those external points solidified. The initial focus of the 
effort is to get the dot-gov networks under stronger intrusion detec- 
tion management and situational awareness. 

We are continuing our dialog through the NIPP process on crit- 
ical infrastructure and how we better manage cybersecurity in 
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those areas. We will continue to engage them and develop a strong- 
er plan, and some of those initiatives we will be happy to talk in 
more detail about in a classified session. 

Mr. Langevin. That is promising. We are going to continue to 
follow up on that. 

Mr. Chairman, with your indulgence, I do have one last question. 
Have we ever done a full damage assessment of Federal agency 
networks or DHS networks? If not, why not, and will this be cov- 
ered under the Cyber Initiative? 

Mr. Jamison. Not to my knowledge that a full damage assess- 
ment has been done, but I will say that we investigate known in- 
trusions and make sure that each agency follows up and has that 
responsibility, and Karen may want to go into more detail about 
that. 

US-CERT has played a support role in investigating intrusion 
activity and making sure that we follow up with damage assess- 
ments from known intrusions. 

There is a broader effort to do a more detailed risk assessment, 
as we move forward with this initiative on the total risk picture for 
the Federal Government, as we address those risks. 

Karen, you may want to follow up on that. 

Ms. Evans. I would like to clarify a couple of pieces here. One, 
under the FISMA, Federal Information Security Management Act, 
agencies do need to do an assessment right off the bat on all their 
systems, and the guidance has been given out to the agencies, and 
we report on this on an annual basis. So all systems are cat- 
egorized by high-, medium- and low-risk, and we report on that. 
Then they all have to do testing, have security controls in place 
and then also then evaluate what that is. So we report on that on 
an annual basis. That report is due March 1 every year. 

Mr. Langevin. If I could just stop you there, because that is a 
risk assessment. That is different than a damage assessment. 

Ms. Evans. I am going to get there. 

Mr. Langevin. Okay. 

Ms. Evans. So the second part of that is, as a result of the loss 
of data that happened at the VA situation with the personal identi- 
fiable information, we put additional procedures in place so that as 
agencies have things happen — we also now have a BPA available 
for all agencies so that they can then do an assessment after the 
fact so that they can then go in and see how much damage has ac- 
tually occurred, what they are supposed to do. 

The policy is in place, they have teams that are in place at the 
highest levels of each department so that as they lose data, they 
are supposed to assess it, what is the risk associated with that, and 
then take proper precautions and proper notification associated 
with it. 

Mr. Langevin. Okay, but that is prospectively. You are saying 
that we have not and we are not going to do a damage assess- 
ment — 

Ms. Evans. No, sir. They need to do a damage assessment each 
time things — that is how the policy is set up now. So they do an 
assessment as each incident occurs and as they report the incidents 
in. So they report incidents into US-CERT. They have to make an 
assessment at that point depending on the type of incident, by the 
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categories we have, and then they have to continue on doing the 
assessment. You are calling it a damage assessment; we call it a 
risk, data breach type of assessment so that they can then take the 
appropriate actions. 

That is whether you turn it over to law enforcement, whether 
you have to notify individuals for the services that you have done 
if their information may have been compromised or notify your 
partners so that they are aware of what has happened within your 
entity to be able to share for more awareness across the board. 

So we have enhanced our procedures to make sure that that is 
being done on a consistent basis. 

Mr. Langevin. I yield back, Mr. Chairman. 

Chairman Thompson. Thank you very much. 

We now yield 5 minutes to the gentleman from Pennsylvania, 
Mr. Dent. 

Mr. Dent. Thank you, Mr. Chairman. 

My question is to Mr. Jamison. 

Mr. Jamison, I guess my first question is, who is in charge of the 
Cyber Initiative and who is going to hold the budget authority for 
it? 

Mr. Jamison. Congressman, for the portions that we are talking 
about today, with the TIC consolidation, we share the lead with 
OMB, but the $115 million budget supplemental that addresses 
this issue of deploying Einstein and dramatically ramping up our 
comprehensive situational awareness, DHS has the budget author- 
ity for that and are owning, operating and managing that equip- 
ment. 

I would be happy to go into more details in follow-up briefings 
on the rest of the classified budget and who has the leads for the 
other pieces. 

Mr. Dent. I guess in a follow-up to that question, if the initiative 
is spread across the entire Government, who is going to have the 
ultimate control over how everybody is working together? Obvi- 
ously, Mr. McCaul pointed out some gaps and people not knowing 
things that they needed to know, apparently, so who is going to 
have that ultimate control to make sure that people are actually 
working together on this? 

Mr. Jamison. Let me answer the question in a couple of ways. 
The director of national intelligence has a coordination role for all 
aspects of the initiative to help coordinate the project management 
of those initiatives. Each individual agency that has authorities 
and responsibilities under the initiative have that responsibility. 

We would be happy to come back in a classified session and give 
you a lot more details on that aspect. 

The Department of Homeland Security plays a key role in the 
protection of the dot-gov and Federal networks from an Einstein 
perspective and has a lead role in that. We also have a coordina- 
tion role across the cybersecurity domain, and we would be happy, 
as that develops, the plan for that develops, to come back up in a 
classified session and lay out in detail how that coordination role 
is going to be played out to coordinate all of the activities across 
the Federal Government. 

Mr. Dent. Thank you for that answer. 
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It is also my understanding that US-CERT is going to be able 
to view the content of communications over government networks. 
I guess the question is, why is this important, and what informa- 
tion will they be collecting, and what will they do with it? 

Mr. Jamison. First of all, if I may, I brought a couple of props 
with me, if I can ask one of 

Mr. Dent. Please. 

Mr. Jamison [continuing]. My employees to come up. I would like 
to, kind of, explain to you what the differences are. 

So if you get the other two first, I want to show this. 

Mr. Dent. We can’t see that, by the way. Well, maybe some of 
you can but not me. 

Mr. Jamison. Can you take it up to the Congressman? 

Our current Einstein capability is a flow analysis tool, so if you 
look at the current Einstein flow records, this is the basic informa- 
tion that Einstein captures: IP addresses, the size of data packets 
and where is information is flowing from network to network. We 
capture that and then once day, or routinely, we download it. The 
other chart shows you the types of analysis that we do on that in- 
formation.* 

So we are trying to detect patterns, we are trying to detect mali- 
cious IP addresses and to do analysis on activity that would look 
suspicious or have malicious intent. It is delayed and our effective- 
ness — and we have got good analysts — but our effectiveness is lim- 
ited to how good our analysts are. 

Where we want to go is we want to be able to detect the mali- 
cious code that we know about. When an adversary or an intrusion 
has a signature of malicious code, we want the sensors to be able 
to scan for that malicious code and alert us when we know that we 
have malicious activity. 

Let me point out that this is no different than intrusion detection 
capabilities that are on Federal systems today. They all have com- 
mercial capability to do intrusion detection. What is different is 
that we are going to have comprehensive coverage of our external 
points to make sure that we have got intrusion detection at all 
those points. 

We are also going to make sure it is consistent so the same intru- 
sion detection is consistent, and it is going to be informed by the 
knowledge of the Federal Government of what we know about the 
threat, so we will have the latest signature information on the 
threat comprehensively across the Federal Government. 

So it addresses some of the concerns that I have heard from the 
committee today about not knowing all the threat avenues and one 
agency knowing more threat information than another. This is the 
intent, to get to comprehensive situational awareness. 

Mr. Dent. Thank you. 

Real quickly, the specific role of US-CERT, the administration is 
requesting, I guess, about $100 million more than was enacted last 
year, and so I guess the question is, how are you going to spend 
this US-CERT money? 

Mr. Jamison. It really breaks down into a couple of different 
components. The majority of it is in deploying the equipment, so 
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the intrusion detection equipment to the sites. We also have a large 
chunk of money, about $43 million, for the 2008 budget in facilities 
as we ramp up our capabilities to add more people. 

We have to build the backend analytical capabilities. So just as 
I have shown you, some of the analysis has to be done on flow 
records. We need to build our capability to do analysis on that, to 
handle a much larger percentage of the traffic. Currently, our Ein- 
stein capability handles a very, very, very small percentage of the 
Federal Government traffic. We want to expand that to 100 percent 
through this initiative, so we have to back up our analytical capa- 
bility. 

It also will allow us to build our malicious malware analysis labs 
and those things and expand them to handle the additional volume. 

Those are the major components. 

Mr. Dent. Thank you. I yield back. 

Chairman Thompson. Thank you very much. 

We now recognize the gentlelady from California, Ms. Harman, 
for 5 minutes. 

Ms. Harman. Thank you, Mr. Chairman, and thank you for hold- 
ing this hearing. 

As I think the witnesses know, Members of this committee have 
received a number of classified briefings on the threat. Obviously, 
we are not discussing the threat here, but since my focus over all 
my years in Congress, all 100 years that I have served in Congress, 
has been on security threats, I take that kind of information very 
seriously, and I think the threats are substantial, starting with 
hackers but going on to much bigger threats. 

I have been sitting here with my mouth open. I think that this 
hearing reminds me of FEMA trailers, the Government doing some- 
thing and 2 years later deciding that it is toxic and taking it away. 
I think while all of you are well meaning and working hard at your 
jobs, the fact that you don’t have the threat information and that 
you are working on projects that will take years to complete is ab- 
solutely shocking. Let me repeat that: I think it is shocking. 

If we are serious about these threats — and I am serious about 
these threats — we are not being serious about our response to the 
threats. It is not timely, I don’t get any sense of urgency, I don’t 
think much of it will work. 

As an example, as we all know, most of the cyber network is in 
the private sector. I think, absolutely, everybody knows that. You 
have been talking about private sector collaboration and coopera- 
tion. My understanding is the private sector considers Einstein too 
passive, and it doesn’t deliver information in real time. 

So how is it that we are going, in real time, have a response to 
a very significant threat? I just don’t see it happening. I don’t see 
DHS being able to do it within DHS, let alone coordinate a re- 
sponse across our Government. So I am sitting here really con- 
cerned about that. 

Second, I hear from constituents all the time in my district. They 
are really aware of programs that involve having access to personal 
information of American citizens. Obviously, for this program to 
work, as you have been discussing, there has to be some collabora- 
tion with some of our security agencies, like NSA and DOD. 
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I have no doubt that you are working on, and that we have been 
briefed on, some legal protocols about all that and that there is an 
effort to protect privacy. However, I assure you that constituents 
of mine listening to this hearing — and I am sure they are all tune 
in, even though it is pretty early in California — are thinking about 
this as, “Government sets up new spy network.” That is how they 
are going to receive this information. 

So let me ask you to respond — all of you — to what I have just 
said, two parts. No. 1, is this in real time and fast enough to mount 
a serious response to a serious threat? No. 2, what would you ad- 
vise me to tell my constituents who are going to call me this after- 
noon and ask me how I am going to stop this latest government 
spy network into their personal privacy? 

Mr. Jamison. Thank you, Congressman, I will address those. The 
previous charts I put up were trying to get exactly to that point. 
Obviously, I could do a better job of explaining it. But I would say 
that right now our Einstein capability is passive. We are looking 
at flow records, we are not looking for malicious activity, we are 
doing it after the fact, and we want to move that to real-time intru- 
sion detection capabilities. So we want to make sure we lock down 
our nodes of access to the Federal Government and give ourselves 
real-time malicious activity intrusion detection. 

So that is exactly the intent of this. We are aggressive about it. 
We are going to be employing — as we ramp down the number of lo- 
cations, we are going to be deploying that equipment this year. As 
you can tell by our budget request, we have ramped up our capa- 
bilities to respond to that. 

Second, on the privacy issue, I can tell you one thing: First of all, 
privacy and civil rights has been a top priority for this. We have 
had our privacy folks and our civil rights folks involved in this 
from the very start. Current Einstein has a privacy impact assess- 
ment that is public. We are currently in the process of doing a pri- 
vacy impact assessment for the new capability as we move it for- 
ward, as well as full legal review, and we take that matter very 
seriously. 

But I would like to add that the capability that we are talking 
about for detecting that malicious activity in real time is no dif- 
ferent than a commercial intrusion detection capabilities at many 
agencies and every corporation in America has on their systems. 
The issue is, it is going to be comprehensive, it is going to be con- 
sistent, it is going to be informed by our threat information. 

Ms. Harman. It is going to be massive, and it is going to be 
across the Government and possibly across the private sector. So 
it is a little bigger than any of the other networks or tools that in- 
dividual companies have, right? 

Mr. Jamison. We are not talking about the private sector right 
now, we are talking about the Federal Government node and the 
traffic coming into the Federal Government. 

Ms. Harman. Got it. 

Other people have any answers to my two questions? 

Ms. Evans. Yes, ma’am, I would like to answer those questions 
as well. 

In everything that we are talking about and even on the threat 
information and the vulnerabilities that we are all aware of, this 
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all starts with a defense in depth. There is no silver bullet, we all 
know that, and so there are several things that the agencies are 
doing that, first and foremost, most of these come from exploiting 
known vulnerabilities and through configuration management. 

There is a very extensive effort, and I mentioned this in my testi- 
mony and we did this jointly with the NSA, which is set up the 
way that FISMA was intended where they would do standards in 
an open setting, and then we would go through the process that the 
Commerce Department has. So we have set up 700 settings that 
then reduce the vulnerability and then make sure that what we are 
doing is building that in right up front. 

So some of these things that are common sense we are going 
ahead and trying to take care of that on a mass basis. That is also 
then going to be built into the computers that get delivered to the 
agencies. So in spite of themselves, they will be successful, because 
they will be coming configured securely. That is the first thing that 
we are doing, because those things we should take those right off 
the table, and that should not be an issue. 

The other thing that the agencies are doing are also encrypting 
all their data — data at rest, data that is mobile — so that should 
that happen, that then it becomes harder. So you are raising the 
threshold up. 

Then we are also using two-factor authentication, which then 
makes sure that people who are authorized, you know that those 
are the people who are supposed to be on your networks. 

So we have these in place. The agencies are rolling out, they 
have these measures, they are implementing these, and they are 
upgrading their security as they go forward. 

As part of privacy and security, that is an administration con- 
cern, has always been. It is a high priority, and we have been doing 
all of these activities in a very transparent way, so that everyone 
can comment on what we are doing. The privacy impact assess- 
ments are out there. We put it through the Federal Register notice 
process so that it is done in a very transparent way to make sure 
that the citizens know how we intend to protect that information. 

Ms. Harman. Did you want to comment? 

If he could just finish his response, I would appreciate that. 
Thank you. 

Mr. Charbo. I would just add that the Einstein program is only 
a part of the total cyber effort. We are really focused on also chang- 
ing the way networks are operated. That is down at the operator 
level. In terms of just their situational awareness, their training 
and how they react and respond on a daily basis to operations, as 
well as to how we procure, how we also configure the different 
things, which Ms. Evans just went into. 

Chairman Thompson. Thank you. 

The gentleman from Georgia, Mr. Broun. 

Mr. Broun. Thank you, Mr. Chairman. 

I would like to just go a little further with a question that Mr. 
Dent asked you all. 

Secretary Jamison, it is my understanding that you all can view 
the content of all the dot-gov connections, and I am concerned 
about privacy too, as Congresswoman Harman is. We have had 
your folks from civil rights as well as the privacy protection of DHS 
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come testify before this committee, and the question I have or frus- 
tration I have is, I don’t really see beyond just DHS how folks in 
my district, privacy is really going to be protected. It looks almost 
like the fox guarding the henhouse, proverbially. 

As a United States Marine, I am very concerned about the secu- 
rity of this Nation, and as an original intent constitutionalist, I be- 
lieve that national security and what you guys are doing is the 
prime purpose of the U.S. Government. But I am not convinced, as 
I think Ms. Harman is not convinced, that privacy is going to be 
protected in the process of developing these cyber protections with- 
in the government connections. 

I encourage you to try to find something beyond Einstein that is 
going to be focusing on the bad guys and not focusing just on the 
general public but finding some way to protect the privacy of Amer- 
ican citizens, the good guys. As I see DHS developing these poli- 
cies, when I go through security at airports or all these other 
things, it just looks to me as if we are focusing more of our re- 
sources, which are very limited, more of our personnel, greater and 
greater bureaucracy on focusing upon all us good guys and not on 
the bad guys. 

Can you assure me or tell me how you all maybe can go to Ein- 
stein 2.0, or whatever the system is, that is going to protect the 
privacy rights of American citizens, the good guys, and make sure 
that we don’t have these security threats within the cyberspace of 
the dot-gov connections? 

Mr. Jamison. Thank you, Congressman. 

First of all, let me say that this is a comprehensive initiative, 
and there are a lot of agencies involved, and it has a comprehen- 
sive plan. We want to make sure that we have the opportunity to 
brief that to you in full in a classified session. 

From the standpoint of privacy, it is a top concern. We are cur- 
rently not looking at content, as you put it. That is where we need 
to go. 

Mr. Broun. Not looking at any content. 

Mr. Jamison. Not currently. We are proposing that we are going 
to do that. 

Mr. Broun. That is my concern, too. 

Mr. Jamison. We are going through a privacy impact assessment 
to do that and make sure that we follow all the civil rights and 
civil liberties that are associated with that. 

Congressman, the threat is real. Our adversaries are very adept 
at hiding their attacks in normal traffic and the normal everyday 
traffic that comes across the network very well could be disguised, 
and it could be malicious. So the only true way to protect your net- 
works is to have intrusion detections. It is what everybody has on 
all their networks now. It is not just consistent in the Federal Gov- 
ernment, and it is not informed by our latest threat information of 
what we know. That is what we are talking about. 

There are a lot of other activities that we need to do to focus on 
improving cybersecurity beyond just this and the effort that we are 
talking about today, and we are working on that, and we would be 
happy to brief you on that in a detailed session. 

Mr. Broun. Okay. Thank you very much. 

Mr. Chairman, thank you. I yield back. 
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Chairman Thompson. Thank you very much. 

We now yield 5 minutes to the gentleman from North Carolina, 
Mr. Etheridge. 

Mr. Etheridge. Thank you, Mr. Chairman. 

Let me thank you for being here. I must confess, I join Ms. Har- 
man in listening to the testimony this morning. 

So, Mr. Jamison, given the hundreds of cyber incidents that have 
taken place over the last few years, how would you rate the De- 
partment’s response to cybersecurity, A through F? 

Mr. Jamison. It’s been a while since I have been in school. I 
think currently we are 

Mr. Etheridge. Well, you find the number you want to, I will 
be happy. 

Mr. Jamison. I think we are a solid C, and if you will allow me 
to expound on that from the standpoint of, as I mentioned before, 
our current capability from a US-CERT standpoint, and I am 
strictly talking about 

Mr. Etheridge. Let me just say something: If you say a solid C, 
you know, I was a State superintendent of schools for a few years, 
that is sort of average, at best. 

Mr. Jamison. That is why we are here, Congressman. 

Mr. Etheridge. That isn’t even close to being good enough in 
what we are talking about for the American people. But I will let 
you continue, because I have another question following that. 

Mr. Jamison. Congressman, that is why we are here. As I said 
in my opening statements, we need to do more. Currently, from a 
DHS and US-CERT perspective of having that responsibility across 
the Federal domain, we need to have more comprehensive 

Mr. Etheridge. All right. Given that then, can you tell this com- 
mittee what accountability has been put in place, because there are 
well-recorded numbers of breaches in the Government system? 
What accountability do we have in place when that happens? If it 
happens on my watch, what accountabilities am I accountable for? 

Mr. Jamison. Well, I will defer to Karen to talk about the FISMA 
accountabilities and some of their requirements that each CIO has. 

Ms. Evans. We hold the agencies accountable through a quar- 
terly process. We manage, through the President’s management 
agenda, on the score card. However, when incidents occur, agencies 
are held accountable. We do work with them to ensure — because, 
first and foremost is when it does occur, that there is a proper re- 
sponse, because it is involving the citizens’ data, and, first and fore- 
most, we have to make sure that the way that we handle that re- 
sponse is addressing their immediate needs and that we take the 
proper precautions in place to ensure that the citizen then knows 
that we are addressing that. 

Yes, sir. 

Mr. Etheridge. Let me follow up on that, because I think that 
leads to a little broader question in that area, because every year 
OMB says that agencies are implementing more security controls 
on their computers, yet every year the number of successful pene- 
trations in the Federal networks rise. This means that every year 
we lose more and more information to our adversaries. 

That being true, OMB measures success by the percentage of cer- 
tified and accredited computer systems, but even the stamp of ap- 
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proval that you are just talking about, sensitive data tends to seep 
out, okay? 

That being true, are we using the right metrics? The second part 
of that question, shouldn’t we be measuring our ability to stop at- 
tacks or at a minimum use our ability to detect and respond to at- 
tacks as the correct metric? Wouldn’t that seem to be a better met- 
ric to use in terms of where we are than just measuring the other 
pieces? I mean, that just seems common sense to me. 

Ms. Evans. Okay. I would agree with you that initially when we 
first started this process, when FISMA’s predecessor was the Gov- 
ernment Information Security Act, and many of the Members have 
brought this up: Initially, agencies didn’t know what they didn’t 
know. So metrics evolved, and these are the first sets of metrics 
that we use so that agencies could make sure that they knew what 
their inventory was. Because if you don’t know what you own, then 
you can’t manage it appropriately and know the risk associated 
with it. 

So the first set of metrics and the things that we have measured 
may need to improve, and we have talked to Congress about this 
and GAO, because we are now — and I would agree with you that 
the metrics that we look at are more output-oriented right now, 
and we are moving now to a level of more performance, such as the 
types of metrics that you are talking about, because 

Mr. Etheridge. Seems to me that is how you measure it. 

Ms. Evans. Absolutely, and you know what the baseline is now. 
We know what these systems are, we know how the agencies are 
categorizing the systems, and there is consistency across the board. 

Mr. Etheridge. My time is running out. Let me touch one more 
point, if I may get it in, because I think this is critical. 

Because it seems to me there are flaws on the on-the-job train- 
ing. I mean, we have already heard that. If we aren’t giving proper 
training and ongoing training, management practices within Fed- 
eral agencies where workforces do not understand the effects of 
their actions on national security. I mean, what are we doing to 
train employees? That is the other side of it. We have got to meas- 
ure both pieces, and that metric, it seems to me, has to change, if 
we are going to get — because if we do the same thing we have al- 
ways done, we are going to get the same results we have always 
gotten. 

Ms. Evans. May I answer? 

Mr. Etheridge. Please. 

Ms. Evans. Thank you, sir. 

Okay, so we pick certification and accreditation because it is a 
soup-to-nuts process. If an agency approaches the process for com- 
pliance, checks the box, because I have to tell OMB and then it 
goes to Congress, we aren’t going to get the result that we intend. 

But if you look at the process associated with that, all the issues 
that you brought up, when you certify an accredited system, you 
have to know what it is, you have to analyze the risk, you have 
to put together rules of behavior so that each user, as they sign on, 
know what they are supposed to do and the consequences associ- 
ated with not doing that. 

The last part of that also is residual risk, because the manager 
in charge needs to say, “That service is important. I will live with 
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this risk. Here is the compensating control and hold me account- 
able.” 

That is really how the process is supposed to work, and that is 
where we have to now move it to the next level so that we are actu- 
ally achieving the result versus a paperwork exercise where we just 
get a bunch of paper and people are producing stuff and people 
don’t really know what their responsibility is and what they should 
be held accountable for. 

Mr. Etheridge. We are doing a lot of work. 

Ms. Evans. We are improving it. 

Mr. Etheridge. But the results are meager for the investment, 
and we have got to do better to protect the American people. I real- 
ly believe that. Thank you. 

Thank you. 

I yield back, Mr. Chairman. 

Chairman Thompson. Thank you. 

The gentleman from Texas, Mr. Green, for 5 minutes. 

Mr. Green. Thank you, Mr. Chairman. Thank you and the Rank- 
ing Member for holding this hearing, and because I know that time 
is of the essence, I will move as quickly as possible. 

I have a few questions, and thank you, witnesses, for appearing 
today. 

Is it true, Mr. — is it, Charbo, am I pronouncing it correctly? — Mr. 
Charbo, that you were the CIO of Homeland Security at a time 
when some intelligence reports about hacking were known to other 
agencies but not reported to you? Is this true? 

Mr. Charbo. Well, sir, I am not sure what was reported to other 
agencies. My assumption is, is that is probably correct. 

Mr. Green. Okay. At a 2007 hearing, according to the intel- 
ligence that I have, the Department of Homeland Security CIO, 
Scott Charbo — that would be you — told the committee that he had 
never received any intelligence reports about nation states hacking 
and that he was unfamiliar with the activity. 

Mr. Charbo. The response, I believe, was that we had had one. 
I had had one previous to that hearing, which was sponsored 
through the CIO Council 

Mr. Green. Yes, sir. 

Mr. Charbo [continuing]. And at that time, there was nothing 
that pointed back to DHS. 

Mr. Green. You were not familiar with it. There were others 
who knew but you did not know; is this true? 

Mr. Charbo. Not by the name, I believe, that was being dis- 
cussed at the hearing. I mean, obviously, we had heard about na- 
tion state hacking and different nations, but I had never had a 
briefing that pointed back to the Department. They were all, basi- 
cally, in general at a lower classification level. 

Mr. Green. Well, did it happen? Maybe I should start there. Did 
this happen? Was there actually a hacking that took place? 

Mr. Charbo. At the Department? 

Mr. Green. Yes, sir. 

Mr. Charbo. We have lots of security events at the Department. 
Whether or not those are nation states 

Mr. Green. Whether they are nation states — all right, let’s talk 
about nation states. Was there a nation state hacking? 
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Mr. Charbo. Yes, there are a few that we are looking at, and we 
would have to address that on a classified level. 

Mr. Green. Okay. Is it your opinion that we have not had any 
cross-agency intelligence failures? 

Mr. Charbo. I certainly think it can be improved, and I think 
that is what this effort is about. 

Mr. Green. All right. Well, let me go to my next question. Is it 
true that we had a contractor charged with securing networks at 
the Department, and this contractor did not install intrusion detec- 
tion systems? 

Mr. Charbo. Those are gaps that we identified, and that we had 
them put in place. 

Mr. Green. Is that a true statement? 

Mr. Charbo. That is a true statement. 

Mr. Green. Okay. The question becomes then, what are the con- 
sequences when we have these kinds of occurrences? Have we ever 
had a contractor terminated for failure to perform to the level that 
this contractor failed to perform? Terminated. We are not talking 
about renewing a contract. But have we ever had one terminated? 

Mr. Charbo. Well, I can only speak to this incident. I mean, 
from a broader contracting perspective, that would have to go to 
our contracts. We did recompete this contract. 

Mr. Green. Let me ask you about what you know? Do you know 
of any contractor ever having been terminated? 

Mr. Charbo. I can’t speak to anything specific. 

Mr. Green. So you don’t know of one. 

Mr. Charbo. To my knowledge, I don’t know of that. 

Mr. Green. Okay. Do you know of anyone who has ever been 
fired for failure to properly provide intelligence across agencies that 
should have been provided? 

Mr. Charbo. I couldn’t put a name on it, but, certainly, we have 
had contractors removed. 

Mr. Green. Well, now I am talking about a person being fired 
as opposed to a contractor. We went through the contracting and 
you indicated that you didn’t know about the contractors. 

Mr. Charbo. The question is? 

Mr. Green. The question is, have we had anybody fired? Has 
anybody ever been fired? 

Mr. Charbo. To my knowledge, I have never fired a Federal em- 
ployee. We certainly have responded to performance, but I have not 
fired a Federal employee. 

Mr. Green. Do you know of anyone that has ever been fired for 
failure to perform in this area of sensitive security information 
transmission? 

Mr. Charbo. I can’t speak to anything specifically. 

Chairman Thompson. Will that gentleman yield? 

Mr. Green. Yes, sir. 

Chairman Thompson. In the interest of making sure we get the 
record straight, Mr. Charbo, that incident that was referred to by 
Mr. Green I think it was the committee staff that brought it to 
your attention of your shop that there had been some problems 
with a contractor that you all were not aware of. I think after that 
was brought to your attention, you all moved forward and looked 
at it. 
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Please. 

Mr. Charbo. The one incident that I believe is being referred to 
was made aware of by our staff. What was incomplete was the clo- 
sure of that because of the different opinions. I mean, much of this 
hearing is about the level of data that you receive on a particular 
event. One analyst can look at a piece of data and have one inter- 
pretation. Several others can look at it and have different interpre- 
tations. A lot of that is dependent on the situational awareness 
that an individual has. 

In this case, that is what was presented to me. That coincided 
with the hearing. We asked for that information. At that time, I 
turned that over to our security group and said, “I have conflicting 
information here. It is something for you to look at.” 

I believe that is currently still under investigation, sir. 

Mr. Green. All right, Mr. Chairman, thank you. 

Chairman Thompson. Thank you very much. 

We now have three votes on the floor, and we have concluded all 
of our witnesses and our questions for the witnesses. I would like 
to thank them for their valuable testimony. The Members of the 
committee may have additional questions for the witnesses, and we 
will ask that you would respond expeditiously in writing to those 
questions. 

Hearing no further business, the committee stands adjourned. 

[Whereupon, at 11:27 a.m., the committee was adjourned.] 
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Question From Honorable Yvette D. Clarke for Honorable Karen Evans, 

Administrator for Electronic Government and Information Technology, 

Office of Management and Budget 

Question. Ms. Evans, it is my understanding that you have worked with Director 
Will Pelgrin, head of NY State’s Cyber Security Office and the chair of the Multi- 
State Information Sharing and Analysis Center, including coordination on the Data- 
at-Rest Smart Buy program. Can you describe your involvement with this effort 
with the State and local governments and what were the results? 

Answer. SmartBuy is a Government- wide initiative which leverages the Federal 
Government’s requirements and buying power. As a member of the governance 
board, we help determine the priorities and technical requirements to be included 
in SmartBuy efforts. A major effort of the SmartBuy program was the Data-At-Re- 
quest (DAR") Blanket Purchase Agreements (BPAs) to provide encryption products 
to Federal agencies, NATO, and State and local governments to protect sensitive, 
unclassified data on mobile computing devices and removable media. 

Protecting DAR is increasingly critical in today’s information technology (IT) envi- 
ronment of highly mobile data and decreasing device size. Personal identity informa- 
tion or sensitive Government information stored on devices such as laptops, thumb 
drives and personal digital assistants (PDAs) can be unaccounted for and unpro- 
tected, and can pose a problem if these devices are compromised. In addition to sav- 
ing taxpayer dollars, the DAR BPA enhances DAR information security and requires 
vendors to meet stringent technical and information assurance requirements. 

OMB Memorandum M-06-16, Protection of Sensitive Agency Information, issued 
in June 2006 was a key impetus for the actions resulting in these agreements. Two 
months after OMB issued this memo, the DoD Data-at-Rest Tiger Team (DARTT) 
was developed to address technical requirements. Eventually, the DARTT evolved 
into an interagency team comprised of 20 DoD components, 18 Federal agencies and 
NATO, with State and local governments joining in March 2007. These require- 
ments were presented to the governance board and accepted. 

The State and local governments are participating under GSA’s Cooperative Pur- 
chasing Program, which allows them to purchase IT products and services from both 
GSA’s Multiple Award Schedule 70 and Consolidated Schedules that have IT special 
item numbers. 

To date 127,296 licenses have been issued across 15 States (including local gov- 
ernments). This has resulted in savings of $24.1 million on purchases of encryption 
software through use of these Federal DAR contracts and approximately $8 million 
using the special State and local government offers — for a total of more than $32 
million in savings/cost avoidance to date. 

Question From Honorable Yvette D. Clarke for Honorable Robert D. 

Jamison, Under Secretary, National Protection and Programs Direc- 
torate, Department of Homeland Security 

Question 1. Secretary Jamison, how much of the Infrastructure Protection and In- 
formation Security (IPIS) account in the fiscal year 2009 budget request is intended 
to support State and local Government cybersecurity activities? 

Answer. The Department of Homeland Security collaborates with a broad range 
of security partners, including State, local, and international governments, private- 
sector owners and operators, and individuals, in its efforts to improve the Nation’s 
cybersecurity posture. Specifically, the Department’s United States Computer Emer- 
gency Readiness Team (US-CERT), the national focal point for coordinating the de- 
fense against and response to national cyber attacks, engages with State and local 
governments by sharing information with States and providing direct support to 
States requiring response and recovery assistance. Budgetary support for State and 

(35) 



36 


local government cybersecurity efforts is embedded within the Department’s many 
programs and activities and does not maintain a specific line item; however, the De- 
partment does provide funding to the Multi-State Information Sharing and Analysis 
Center (MS-ISAC). Much of the increase in funding to cybersecurity will result in 
improved situational awareness of threats, intrusions, and response methods across 
the Federal domain. State and local governments will benefit from this enhanced 
focus. 

Through a contract with the Department, the MS-ISAC supports a number of 
operational and awareness activities. The current contract with the MS-ISAC, span- 
ning from November 2007 through November 2008, totals $1,694,825, and a similar 
amount is estimated for fiscal year 2009. These activities include operating the MS- 
ISAC State and Local Operations Center for Cybersecurity, which collaborates with 
US-CERT and contributes to State and local cybersecurity by maintaining situa- 
tional awareness of the State cyber landscape; by hosting bi-monthly webcasts with 
cybersecurity experts for the general public to raise awareness about emerging 
cybersecurity issues; and by developing cybersecurity educational materials offering 
best practices, tools, and tips as part of the Department’s national cybersecurity 
awareness efforts. 

In addition to the funding provided to the MS-ISAC for these efforts, the Depart- 
ment has dedicated staff to support ongoing MS-ISAC efforts. This includes more 
than two full-time equivalents who liaise with the MS-ISAC to ensure coordination 
with the Department on current State and local government efforts by engaging in 
MS-ISAC activities, including various working groups to help with the creation, 
production, and dissemination of education and awareness resources for use by the 
States; and by participating in regular meetings as well as the MS-ISAC annual 
meeting. In addition, Department staff members work to oversee the fulfillment of 
the statement of work. Staff support to and coordination with the MS-ISAC is esti- 
mated at $270,000 annually. 

An important component of the Department’s work is its support of efforts to ad- 
vance State and local cybersecurity activities. In addition to funding provided to 
support the MS-ISAC, the Department has committed significant resources, 
through various programs and activities, to help State and local security partners 
address their cybersecurity preparedness and response needs and effectively manage 
cybersecurity issues. 

Question 2. Secretary Jamison, how much of the increased funding to DHS for 
cybersecurity initiatives to address improvements in the security posture of State 
and local governments is specifically set aside for programs to be coordinated or per- 
formed by the Multi-State ISAC? 

Answer. The Cyber Initiative is an interagency effort that aims to enhance the 
security of Federal Government networks. Increased funding has been primarily di- 
rected to enhancements for the Department of Homeland Security’s United States 
Computer Emergency Readiness Team (US-CERT), the Nation’s watch and warning 
mechanism. US-CERT provides around-the-clock monitoring of cyber infrastructure 
and coordinates the dissemination of information to key constituencies, including all 
levels of government and industry. It serves as the focal point for helping Federal, 
State, local, and international governments, industry, and the public work together 
to achieve the appropriate responses to cyber threats and vulnerabilities. The addi- 
tional funding allocated to enhance US-CERT capabilities is primarily focused on 
improving Federal network security through programs such as the Trusted Internet 
Connections (TIC) initiative and the Einstein program. It will also result in in- 
creased level of service and information sharing with all cybersecurity partners, 
which includes all of the Information Sharing and Analysis Centers (ISACs); how- 
ever, no additional funding has been allocated to the Multi-State Information Shar- 
ing and Analysis Center (MS-ISAC) or any other ISAC under this initiative. 

Although the Cyber Initiative is focused on Federal networks, the enhanced prod- 
ucts and services from US-CERT will provide specific additional benefits to State 
and local governments. States are dependent upon Federal network operations and 
information for a range of services and daily critical functions. Cyber threats to the 
Federal networks could have potentially devastating effects on State and local gov- 
ernment networks given their interconnectedness. Improving US-CERT’s capabili- 
ties to monitor, detect, report, and mitigate malicious activity will enable the De- 
partment to identify threats to Federal networks more effectively and efficiently, 
thus protecting those networks upon which State and local governments rely. 

The Department recognizes the importance of State and local government 
cybersecurity in its efforts to better secure the Nation’s cyber assets. Under the 
Cyber Initiative, programs and activities to secure Federal networks will benefit 
State and local governments. Through US-CERT’s enhanced watch, warning, and 
response capabilities, State and local governments will benefit from improved infor- 
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mation sharing of alerts, warnings, and mitigations plans. In addition, the Depart- 
ment has established and maintains strong cooperative relationships with State and 
local governments, and it has developed several programs directed at addressing 
State and local government cybersecurity issues. With existing and new programs, 
the Department remains committed to improving the cybersecurity posture of State 
and local governments. 
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